Identifying Agency Risks With the NIST Cybersecurity Framework

When the National Institute of Standards and Technology partnered with other federal agencies and the private sector to develop the first iteration of the NIST Cybersecurity Framework (CSF), the focus was on protecting our nation’s most critical assets. The primary audience was entities that own and operate critical infrastructure vital to our public safety and national security, such as utilities, telecommunications, transportation and healthcare.

In May, the administration released a cybersecurity executive order that requires agency leaders to adopt the NIST Cybersecurity Framework, which was initially developed as voluntary standards. The executive order states that agencies should use the CSF to manage their cybersecurity risk.

To better understand the extent to which agencies are adopting the CSF, GovLoop teamed up with cybersecurity firms Symantec and DLT to survey 116 federal employees. The survey specifically focused on whether agencies are taking advantage of the “Identify” function in the CSF.

“This function calls on organizations to look at every component of their cybersecurity enterprise," said Ken Durbin, CISSP, Strategist for Symantec.. That includes hard security assets, such as servers and networks, as well as soft assets, such as software, data and people. It also addresses concerns like governance, risk management approach and business use.

In this research brief, we discuss common barriers to identifying what security tools your agency has in place, procuring new solutions that align to your cyber strategy and how the CSF’s “Identify” function can help you address those issues. To gain additional insights on how industry can help government with these challenges, we interviewed security experts Don Maclean, CISSP, Chief Cybersecurity Technologist at DLT and Symantec’s Ken Durbin.