Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Approaches for Federal Agencies to Use the Cybersecurity Framework: NIST Publishes NISTIR 8170
March 19, 2020

Today, NIST has published NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework. It provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. This specific guidance was derived from current Cybersecurity Framework use and implementer feedback. It provides eight example approaches to assist federal agencies as they develop, implement, and continuously improve their cybersecurity risk management programs.

The examples are consistent with OMB Circular A-130, Managing Information as a Strategic Resource, which provides guidance regarding the heavily used NIST Risk Management Framework, associated documents, and the Cybersecurity Framework. The examples also support OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control; use of the Cybersecurity Framework helps to identify, manage, report, and monitor the internal controls needed to properly manage potential information and technology risks to an agency.  Draft NISTIR 8286Integrating Cybersecurity and Enterprise Risk Management (ERM)—also released today—decomposes and advances concepts discussed in A-130, A-123, NISTIR 8170, and the Risk Management Framework (RMF).

Topics

Security and Privacy: risk management

Applications: cybersecurity framework

Laws and Regulations: Executive Order 13636, OMB Circular A-130

Created March 19, 2020, Updated June 22, 2020