The NIST Cybersecurity Framework is the core of the president’s recent cybersecurity executive order, and even before it became the foundation of a mandate it was darn good advice.

However, there is no one easy way to align a given IT organization with the framework; each one has its own unique considerations, limitations and advantages. To help federal IT leaders figure it out, Cisco Senior Director of Security Sales Will Ash and Public Sector Cybersecurity Specialist Steve Caimi offered some insights in an interview with Fedscoop.

Key takeaways:

Pay Attention: The framework is centered on managing risk, Caimi noted. However, each agency’s risk profile is different. That is a challenge, but also part of why the framework is powerful. It requires IT leaders to take an individual approach to assessing and understanding their own risk.

Follow the Risk: Once an agency has developed its own target profile, an analysis of areas of greater or lesser risk, it should let that profile inform its investment decisions, Caimi advised.

Remember the People Factor: Cybersecurity technology is robust and mature. However, Ash noted, a federal agency’s cyber workforce, and agency processes, often are not. “Even the most sophisticated and well-designed technology really can’t live up to the potential talent shortages or a lack of talent,” he said in the interview.

Leaders Must Step Up: The Executive Order specifies that agency heads will be held accountable for meeting the order’s requirements. That will serve as a spur to many to get involved in the process, where they might not have been before, Ash said.

Read the interview for more great insights from Steve and Will.




Michael Hardy

US Federal SME

Cisco Americas Public Sector