Survey: Majority of agencies follow NIST Cybersecurity Framework
- By Mark Pomerleau
- Dec 08, 2015
With the rising tide of cybersecurity threats to government networks, one good sign is that the overwhelming majority of federal agencies are following guidance provided by the National Institute of Standards and Technology’s cybersecurity framework.
That’s according to a recent survey, which found 82 percent of 150 IT and security professionals in the federal government said their agencies are either fully or partially implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity. When broken down further, 53 percent are fully implementing, with 29 percent partially implementing the guidance. The survey was conducted by Dimensional Research and sponsored by Dell.
Created with input from more than 3,000 people from industry, academia and government, the NIST framework provides voluntary guidance for public- and private-sector critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster uniformity in cybersecurity management communications.
“This is a very good piece of news,” Paul Christman, VP of Federal for Dell Software, told GCN. The most surprising finding the survey, he said, was the “overwhelming support from the federal IT leadership on using the NIST cybersecurity protection framework. We knew it was popular, but we didn’t how widespread it was.”
Part of the framework’s attraction, Christman suggested, is the fact that compliance is not mandated. Nevertheless, 74 percent of respondents said they used the framework for its cybersecurity roadmap, 68 percent said it improved organizational security and 39 percent said that it created a uniform approach to discussing security.
The survey’s low results for agencies using a uniform approach to cybersecurity is the result of the difference in implementing cybersecurity in very diverse environments, Christman said. For the Defense Department, for instance, cybersecurity in theater or on the ground is remarkably different than that engineered for large installation in the United States. “A virtual server data center that has just been dropped out of the sky and set up in some very unhospitable environment with no connectivity” has unique security architecture and engineering, he explained.
In terms of resources allocated to cybersecurity, 84 percent of respondents said their agency has been provided with the necessary resources and guidance to defend against insider threats, although anecdotal evidence sometimes suggests otherwise, Christman said: “If you ask people why they’re not doing something, they say, ‘I don’t have enough resources.’”
Those resource issues often stem from the lack of trained cybersecurity staff, Christman said. Some agencies have enough money to hire them, but cannot recruit or retain cybersecurity staff. This is an increasing challenge in the federal space, he noted.
As the cybersecurity framework evolves, Christman said, a primary focus should be on “non-traditional information technology.” Mobility and the Internet of Things, for example, are key aspects that must be addressed in greater detail, he said.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.