A customer of mine recently wondered about how much the NIST cybersecurity Framework was being used internationally. This is important because they have offices in other countries and wanted to know how favorably they would respond to using the Framework to guide their own cybersecurity program.
So, I did some research. My goal was to find out how many non-US organizations are using the Framework, or planning to do so. I used open sources available via Google search.
I wasn’t able to find any data on the rate of adoption by non-US organizations.
I found two reliable data sources on Framework adoption in general. Here are their conclusions:
- The rate of adoption in the US was 30% as of end of 2015 (Gartner)
- By the end of 2016, CSF adoption in the US is expected to be 43% (Dimensional Research, n=300).
- By 2020, more than 50% of US organizations will use it (Gartner)
- As compared with ISO 27001 and SANS Top 20, the Framework is the most likely security framework to be adopted by US organizations over the next year (Dimensional Research, n=300).
However, I did see a few case studies where large, US-based organizations (e.g., Intel) were using the Framework on an international basis. There is a Japanese translation of it and Italy has issued their own based on the NIST Framework.
Although not backed by any research, I also found indications that the Framework will soon become a requirement for all US federal government agencies. And I saw unsupported assertions that the Framework is being used by foreign organizations but no names were mentioned.
Here’s my advice if you are in a situation where you need to have some good PR on the Framework: Tell them you’re using ISO 27001. And this is easy and true because the NIST Cybersecurity Framework is 76% mapped to ISO 27001.
The remaining 24% of the non-ISO mapped subcategories are still easy to justify (RC.CO‑1: Public relations are managed) and you probably already do many of them (PR.IP-12: A vulnerability management plan is developed and implemented).
Anyone have additional data to help better understand international adoption of the Framework?