U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8170 (Initial Public Draft)

The Cybersecurity Framework: Implementation Guidance for Federal Agencies

Date Published: May 2017
Comments Due: June 30, 2017 (public comment period is CLOSED)
Email Questions to: nistir8170@nist.gov


Matthew Barrett (NIST), Jeffrey Marron (NIST), Victoria Pillitteri (NIST), Jon Boyens (NIST), Gregory Witte (G2), Larry Feldman (G2)


[Updated 6/27/17: A spreadsheet is now available that maps SP 800-53 Rev. 4 controls to subcategories of the Cybersecurity Framework (v1.0).]

Draft NISTIR 8170 provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. The specific guidance was derived from current Cybersecurity Framework use. To provide federal agencies with examples of how the Cybersecurity Framework can augment the current versions of NIST security and privacy risk management publications, this guidance uses common federal information security vocabulary and processes. 

NIST will engage with agencies to add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies. Feedback will also help to determine which Cybersecurity Framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. NIST would like feedback that addresses the following questions:

  • How can agencies use the Cybersecurity Framework, and what are the potential opportunities and challenges?
  • How does the guidance presented in this draft report benefit federal agency cybersecurity risk management?
  • How does the draft report help stakeholders to better understand federal agency use of the Cybersecurity Framework?
  • How does the draft report inform potential updates to the suite of NIST security and privacy risk management publications to promote an integrated approach to risk management?  
  • Which documents among the suite of NIST security and privacy risk management publications should incorporate Cybersecurity Framework concepts, and where?
  • How can this report be improved to provide better guidance to federal agencies?



Federal Information Security Management Act (FISMA); Risk Management Framework (RMF); Cybersecurity Framework; security and privacy controls
Control Families

None selected


Draft NISTIR 8170 (pdf)

Supplemental Material:
Mapping SP 800-53 Rev. 4 controls to subcategories of NIST CSF v1.0 (xlsx)

Related NIST Publications:
SP 800-53 Rev. 4

Document History:
05/12/17: IR 8170 (Draft)
03/19/20: IR 8170 (Final)


Security and Privacy



cybersecurity framework

Laws and Regulations

Executive Order 13636, Federal Information Security Modernization Act