Federal employees enthusiastic about NIST framework, survey finds
There is widespread awareness among leaders throughout the federal government that agencies need to improve their cybersecurity capabilities. And while it could be argued that actual action in this realm was delayed for far too long, it's certainly true that federal decision-makers are now embracing a variety of steps in order to shore up the government's data protection efforts.
One of the more significant examples of the federal government's commitment to improved IT security has been the development of a broad cybersecurity framework by the National Institute of Standards and Technology. This framework, released in February of last year, aimed to reduce the risk of cyberattacks striking at critical infrastructure and was intended to apply to both the public and private sectors. Thousands of experts weighed in to help create the standards that eventually formed the framework.
After nearly two years, it is now fair to assess what kind of impact this framework is having on federal cybersecurity efforts. As a recent survey made clear, the NIST framework has achieved significant adoption among agencies and, just as importantly, federal personnel are enthusiastic about the standards.
"Over 80% indicated that their agencies have either completely or partially embraced the NIST Framework."
The adoption survey, conducted by Dimensional Research and sponsored by Dell, included feedback from 150 IT and cybersecurity professionals working for federal agencies. Among these respondents, more than four-fifths indicated that their organizations have either completely or partially embraced the NIST Framework for Improving Critical Infrastructure Cybersecurity. Significantly, more than half – 53 percent – said their agencies have achieved full implementation, while 29 percent have partially implemented the framework. Seventy-four percent of respondents said they turned to the framework when developing their departments' cybersecurity road maps.
Furthermore, 68 percent of participants said that the NIST framework has improved their organizational security capabilities, according to GCN. Nearly two-fifths said that the framework has had the benefit of making it easier to discuss cybersecurity with a more uniform approach.
"This is a very good piece of news," said Paul Christman, VP of Federal for Dell Software, the news source reported. He added that the survey found "overwhelming support from the federal IT leadership on using the NIST cybersecurity protection framework. We knew it was popular, but we didn't how widespread it was."
These numbers are particularly noteworthy because adoption is not mandatory. This demonstrates how eager wide swaths of the federal government were for guidance in the realm of cybersecurity, and how this strategy is now filling that niche.
"I think when people adopt things voluntarily, there is some ownership and accountability there," Christman told FedScoop. "It's more like 'We did this, it wasn't done to us.'"
That attitude helps to explain why federal stakeholders have responded so positively to the framework, and why they are enthusiastic and confident enough to use this as the basis for their own agencies' cybersecurity plans.
"A shared framework ensures that different departments are operating on the same frequency."
Clearly, the NIST framework is valuable in that it provides both a starting point and guide for agencies as they move to develop and implement their own cybersecurity strategies. Yet this is not the only advantage from a government-wide perspective. Additionally, it is important to note that a shared framework helps to ensure that different departments are operating on the same frequency when it comes to cybersecurity, and that makes cooperation and collaboration far more feasible.
"Everyone is now using the same vocabulary," Christman said to FedScoop. "We can actually sit down and we produce marketing materials and say 'Look, the framework is a given.' That just accelerates things because we understand what they are talking about."
With all that established, it bears noting that the NIST framework is not the be-all, end-all of cybersecurity for federal agencies, or for any other organizations. The fact remains that this resource is not sufficient in and of itself to protect critical infrastructure from the threat of cyberattack. On the contrary, agencies still need to develop their own approaches to cybersecurity.
Critically, these strategies and tactics need to take in account the unique aspects of each individual agency. While there are undoubtedly many best practices that span the government and which the framework can help establish, no two agencies will have precisely the same needs or goals when it comes to cybersecurity.
These variations take a number of forms, each of which will have an impact on the ideal cybersecurity strategy. Key factors include the amount and type of data that an agency possesses and collects, the number of authorized users within the department, the popularity of mobile IT, the reliance on cloud services and much more.
This means that optimized cybersecurity is and will remain a challenge even as agencies come to rely on broad frameworks to a greater degree. The only way for the federal government to keep its data and other digital assets safe is to work with personnel who have the expertise and experience needed to unite a government-wide cybersecurity strategy with a customized, agency-specific approach to data protection.