Date Published: May 2017
Comments Due: June 30, 2017 (public comment period is CLOSED)
Email Questions to: nistir8170@nist.gov
Author(s)
Matthew Barrett (NIST), Jeffrey Marron (NIST), Victoria Pillitteri (NIST), Jon Boyens (NIST), Gregory Witte (G2), Larry Feldman (G2)
Announcement
[Updated 6/27/17: A spreadsheet is now available that maps SP 800-53 Rev. 4 controls to subcategories of the Cybersecurity Framework (v1.0).]
Draft NISTIR 8170 provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. The specific guidance was derived from current Cybersecurity Framework use. To provide federal agencies with examples of how the Cybersecurity Framework can augment the current versions of NIST security and privacy risk management publications, this guidance uses common federal information security vocabulary and processes.
NIST will engage with agencies to add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies. Feedback will also help to determine which Cybersecurity Framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. NIST would like feedback that addresses the following questions:
- How can agencies use the Cybersecurity Framework, and what are the potential opportunities and challenges?
- How does the guidance presented in this draft report benefit federal agency cybersecurity risk management?
- How does the draft report help stakeholders to better understand federal agency use of the Cybersecurity Framework?
- How does the draft report inform potential updates to the suite of NIST security and privacy risk management publications to promote an integrated approach to risk management?
- Which documents among the suite of NIST security and privacy risk management publications should incorporate Cybersecurity Framework concepts, and where?
- How can this report be improved to provide better guidance to federal agencies?
This publication assists federal agencies in strengthening their cybersecurity risk management by helping them to determine an appropriate implementation of the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework). Federal agencies can use the Cybersecurity Framework to complement the existing suite of NIST security and privacy risk management standards, guidelines, and practices developed in response to the Federal Information Security Management Act, as amended (FISMA). The relationship between the Cybersecurity Framework and the National Institute of Standards and Technology (NIST) Risk Management Framework are discussed in eight use cases.
This publication assists federal agencies in strengthening their cybersecurity risk management by helping them to determine an appropriate implementation of the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework). Federal agencies can use the...
See full abstract
This publication assists federal agencies in strengthening their cybersecurity risk management by helping them to determine an appropriate implementation of the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework). Federal agencies can use the Cybersecurity Framework to complement the existing suite of NIST security and privacy risk management standards, guidelines, and practices developed in response to the Federal Information Security Management Act, as amended (FISMA). The relationship between the Cybersecurity Framework and the National Institute of Standards and Technology (NIST) Risk Management Framework are discussed in eight use cases.
Hide full abstract
Keywords
Cybersecurity Framework; Federal Information Security Management Act (FISMA); Risk Management Framework (RMF); security and privacy controls
Control Families
None selected