Date Published: May 2017
Comments Due: June 30, 2017 (public comment period is CLOSED)
Email Questions to: firstname.lastname@example.org
Matthew Barrett (NIST), Jeffrey Marron (NIST), Victoria Pillitteri (NIST), Jon Boyens (NIST), Gregory Witte (G2), Larry Feldman (G2)
[Updated 6/27/17: A spreadsheet is now available that maps SP 800-53 Rev. 4 controls to subcategories of the Cybersecurity Framework (v1.0).]
Draft NISTIR 8170 provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. The specific guidance was derived from current Cybersecurity Framework use. To provide federal agencies with examples of how the Cybersecurity Framework can augment the current versions of NIST security and privacy risk management publications, this guidance uses common federal information security vocabulary and processes.
NIST will engage with agencies to add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies. Feedback will also help to determine which Cybersecurity Framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. NIST would like feedback that addresses the following questions:
- How can agencies use the Cybersecurity Framework, and what are the potential opportunities and challenges?
- How does the guidance presented in this draft report benefit federal agency cybersecurity risk management?
- How does the draft report help stakeholders to better understand federal agency use of the Cybersecurity Framework?
- How does the draft report inform potential updates to the suite of NIST security and privacy risk management publications to promote an integrated approach to risk management?
- Which documents among the suite of NIST security and privacy risk management publications should incorporate Cybersecurity Framework concepts, and where?
- How can this report be improved to provide better guidance to federal agencies?
Keywords Cybersecurity Framework; Federal Information Security Management Act (FISMA); Risk Management Framework (RMF); security and privacy controls