NIST Cybersecurity Framework Now Includes Guidance For Federal Agencies

Alex Campanelli | June 15, 2018 | tag: Regulation & Compliance

Recently, the National Institute of Standards & Technology (NIST) released a guide for federal agencies to apply the NIST Cybersecurity Framework to government affairs. This comes during a time of heightened attention on the government’s cybersecurity efforts leading up to the election.

NIST is a non-regulatory agency of the United States Department of Commerce and is the creator of the NIST Cybersecurity Framework, a voluntary framework consisting of “standards, guidelines, and best practices to manage cybersecurity-related risk.” The framework was first created in 2016 to help “promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

Though it is not a requirement or regulation, many organizations around the world started leveraging the NIST Framework as a model to help guide them in meeting other cybersecurity requirements and regulations. The inclusion of this new government guidance is indicative of the focus on government agencies, where there has been an increase in cyber attacks where NIST vendor management can help protect important data.

This new federal agency focus not only provides specific guidance to government organizations that house data attractive to malicious actors, but also reinforces the importance of having a strong third party risk management program in place. The NIST vendor management framework recommends that organizations identify the most high risk vendors, incorporate cybersecurity into contracts with those vendors, and regularly assess and monitor the v of their most critical vendors. 

Security ratings enable companies to do this in an efficient and effective manner. BitSight Security Ratings for the NIST vendor management framework can help organizations develop and/or mature a third party risk management program, tier their most critical vendors, collaborate with their vendors to reduce ecosystem cyber risk, and provide ongoing monitoring abilities of those partners.

With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with vendors about their cybersecurity posture to ultimately reduce risk. It also enables them to trust these ratings to monitor cyber risk and make important business decisions, given that BitSight’s data has been independently verified to correlate with data breaches.

This post has been updated as of September 22, 2020.

3 Ways to Make Your Vendor Lifecycle More Efficient

Suggested Posts

Top 3 Most Common Cybersecurity Models Explained

Security risk managers often face a lot of the same roadblocks, even if they’re managing programs of different sizes or in different industries. Basing security practices on well-known, and sometimes government-regulated cybersecurity...


7 Cybersecurity Frameworks That Help Reduce Cyber Risk

While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...


FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Subscribe to get security news and updates in your inbox.