Survey: Agencies love the NIST cybersecurity framework


Written by

Not only has the National Institute of Standards and Technology’s cybersecurity framework raised the awareness of IT security in boardrooms across the country, it’s become a staple inside the government.

A wide majority of federal IT security employees surveyed by Dell are using the NIST framework in some fashion. Eighty-two percent told the company they are using sections of the framework within their own cybersecurity programs, with 53 percent saying they use the entire guide.

Of those who are using the framework, 74 percent say it’s used as a foundation for their cybersecurity roadmap, helping to improve organizational security.

Paul Christman, vice president of federal for Dell Software, said the framework is “just good policy,” no matter what sector is moving to embrace it.

“It applies to everyone,” he said. “It applies to schools, universities, hospitals, [the Defense Department], [the Intelligence Community], and civilian agencies. The document doesn’t say ‘This is how the government should protect the government,’ ‘This is how a bank should protect a bank.’ NIST was really trying to say ‘This wasn’t a government program or mandate;’ it’s just good practice.”

Christman said the lack of a mandate actually helped the document gain popularity with agencies.

“I think when people adopt things voluntarily, there is some ownership and accountability there,” he said. “It’s more like ‘We did this, it wasn’t done to us.’”

He also said it helped contractors get on the same page with agencies as they move to modernize their security systems.

“Everyone is now using the same vocabulary,” he said. “We can actually sit down and we produce marketing materials and say ‘Look, the framework is a given.’ That just accelerates things because we understand what they are talking about.”

That positivity echoes what Intel said earlier this year when the company talked about its tests with the framework.

“The nice thing about a framework is it’s very flexible,’ Kent Landfield, director of standards and technology policy at Intel Security, told Cyberscoop. ‘So we were able to make those changes fit nicely into the evaluation process as a whole, and we were able to then pass it on to the folks who were doing the evaluation.’

Details of the survey can be found below: