International Use of NIST Cybersecurity Framework

A cus­tomer of mine recent­ly won­dered about how much the NIST cyber­se­cu­ri­ty Frame­work was being used inter­na­tion­al­ly. This is impor­tant because they have offices in oth­er coun­tries and want­ed to know how favor­ably they would respond to using the Frame­work to guide their own cyber­se­cu­ri­ty pro­gram.

So, I did some research. My goal was to find out how many non-US orga­ni­za­tions are using the Frame­work, or plan­ning to do so. I used open sources avail­able via Google search.

Screenshot 2016-05-27 13.38.57

I wasn’t able to find any data on the rate of adop­tion by non-US orga­ni­za­tions.

I found two reli­able data sources on Frame­work adop­tion in gen­er­al. Here are their con­clu­sions:

  • The rate of adop­tion in the US was 30% as of end of 2015 (Gart­ner)
  • By the end of 2016, CSF adop­tion in the US is expect­ed to be 43% (Dimen­sion­al Research, n=300).
  • By 2020, more than 50% of US orga­ni­za­tions will use it (Gart­ner)
  • As com­pared with ISO 27001 and SANS Top 20, the Frame­work is the most like­ly secu­ri­ty frame­work to be adopt­ed by US orga­ni­za­tions over the next year (Dimen­sion­al Research, n=300).

How­ev­er, I did see a few case stud­ies where large, US-based orga­ni­za­tions (e.g., Intel) were using the Frame­work on an inter­na­tion­al basis. There is a Japan­ese trans­la­tion of it and Italy has issued their own based on the NIST Frame­work.

Although not backed by any research, I also found indi­ca­tions that the Frame­work will soon become a require­ment for all US fed­er­al gov­ern­ment agen­cies. And I saw unsup­port­ed asser­tions that the Frame­work is being used by for­eign orga­ni­za­tions but no names were men­tioned.

Here’s my advice if you are in a sit­u­a­tion where you need to have some good PR on the Frame­work: Tell them you’re using ISO 27001. And this is easy and true because the NIST Cyber­se­cu­ri­ty Frame­work is 76% mapped to ISO 27001.

The remain­ing 24% of the non-ISO mapped sub­cat­e­gories are still easy to jus­ti­fy (RC.CO‑1: Pub­lic rela­tions are man­aged) and you prob­a­bly already do many of them (PR.IP-12: A vul­ner­a­bil­i­ty man­age­ment plan is devel­oped and imple­ment­ed).

Any­one have addi­tion­al data to help bet­ter under­stand inter­na­tion­al adop­tion of the Frame­work?

Please note: I reserve the right to delete comments that are offensive or off-topic.