Criteria for Submission
- Candidates for Success Stories may submit ideas to NIST before they prepare the document – or they may simply submit drafts to NIST for review and approval.
- All text will be approved both by NIST and the user organization before public release.
- Success stories must avoid text or images that suggest NIST’s endorsement.
- NIST will make Success Stories available on the Cybersecurity Framework website and as handouts. Organizations featured in Success Stories are encouraged to distribute them directly – but should not use Success Stories to promote products or services.
- Organizations featured in Success Stories will be asked to review and update text annually; outdated stories may be removed from NIST’s website.
How to Submit
- Success Story correspondence (drafts, ideas, questions, etc.) should be addressed to cyberframework [at] nist.gov (subject: Success%20Stories) (cyberframework[at]nist[dot]gov).
Success Story Layout
Template for CSF 2.0 Success Stories Coming Soon.
Please use this template to submit a CSF 1.1 Success Story.
The template is limited to two pages and has limited space under each header. Your organization logo will be placed on the bottom left corner of each sheet and your contact information should be provided within the space at the bottom right side of the second page. There are also two placeholders for graphics in the upper right-hand corners of each page (i.e., the first page traditionally includes a quote referencing your organization using the Framework in some fashion).
The layout under each header follows the approach below:
Page 1:
Organization Name (top left)
- Please replace [Organization Name] with the name of your organization.
Organizational Profile
- Please describe the basics of your organization.
- Typically, most organizations include:
- Size
- Sector
- Location
- Customers
- Role in the supply chain
- Historical cybersecurity challenges
- Any new needs or reason to improve cybersecurity across the organization
- Any descriptors not listed here that may help the reader to better understand your organization
Situation
- Please describe your cybersecurity situation prior to the NIST Cybersecurity Framework.
- Ways to address the situation include thinking of an issue or issues that the NIST Cybersecurity Framework has helped your organization to solve, such as:
- Difficulties that different business units encountered, prior to the NIST Cybersecurity Framework
- The state of cybersecurity awareness across the organization
- The need for self-assessment
- International or regulatory drivers
- Strengthening national infrastructure
- Why your organization chose the NIST Cybersecurity Framework
Process
- Please describe the NIST Cybersecurity Framework process within your organization.
- Ways to build upon the process include anecdotes or steps that helped your organization to use the NIST Cybersecurity Framework, such as:
- The efforts of those who were championing the NIST Cybersecurity Framework
- The creation of a risk management program
- Assessing the organization's posture
- Addressing leadership concerns
- The process(es) involved to roll-out the NIST Cybersecurity Framework
- Collaboration between disparate areas of the business
- The achievements of the business unit that rolled out the NIST Cybersecurity Framework
- Which of the various elements in the NIST Cybersecurity Framework were most helpful for your organization?
Picture (top right blue box)
- Please provide a picture of either:
- The individual providing the quote (top right corner)
- An organizational photo
Stakeholder Quote
- Please provide a quote about your organization’s implementation of the NIST Cybersecurity Framework from a senior level person.
- Please provide the individual’s name and title.
Process (Continued)
- Please continue to provide additional information relating to the process at your organization that led to adopting the NIST Cybersecurity Framework.
- This section could also include:
- How your organization has come together under the NIST Cybersecurity Framework.
- How leadership has come to realize the important role that cybersecurity now plays in your organization, as a result of the NIST Cybersecurity Framework's adoption.
Logo (bottom left footer)
Please provide your organization’s logo.
Page 2:
Top Left box
- Please use this space to finish describing the NIST Cybersecurity Framework adoption process at your organization.
Results and Benefits
- Please describe any benefits, anecdotes, a new achievement, or lessons learned.
- Examples could include:
- What were the specific benefits realized using the NIST Cybersecurity Framework?
- How are non-cyber focused business units making changes?
- Is the organization working with other supply chain partners more closely to protect cybersecurity interests?
- What cost-benefits were achieved through Framework adoption?
- How has the business mitigated risks to its mission?
- These anecdotes can include issues encountered or resolved.
Top Right box
- Please provide an organizational image or graphic.
- Some organizations choose to use this space to demonstrate part of their new processes as a result of the NIST Cybersecurity Framework.
Results and Benefits (Continued)
- Please use this space to continue to describe the benefits that your organization has realized as a result of the NIST Cybersecurity Framework.
Contact Information & Resources
- Please provide your organizational contact information:
- A public point of contact name
- A public point of contact email
- A public website for your organization
Submit to NIST (button in footer)
- Clicking this button will launch either a dialogue box to select the email program with which to submit the form, or it will launch Outlook and attach the form to an email.
- Note: Please be sure to ‘Save As’ first!
Additional Notes and Tips:
- Where possible, avoid acronyms. If they are used, please spell them out first.
- Use bullets liberally to enable scanning by the reader.
- Use appropriate graphics to complement the Success Story, which may include photos, diagrams, or illustrations. Neither of these should promote a product or service.
- The final layout must be approved by the NIST Cybersecurity Framework team, as well as, the organization’s point of contact, prior to posting on the NIST website and for any distribution.