NIST CSF Questions from the Road Part 3

Will NIST CSF be mandated in the future by a legislative or industry body?

When it comes to operationalizing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), cybersecurity professionals across the country share many of the same questions and concerns. One of the questions RSAM CEO Vivek Shivananda often receives during the RSAM Cybersecurity Luncheons is whether the NIST CSF will be mandated in the future by a legislative or industry body.

While we don’t have an inside track on the government’s regulatory plans, we believe that at some point the NIST CSF—or something very much like it—will be a mandated requirement. Given the volume and velocity of breaches today, especially as we think about state-sanctioned hacks or what we need to do to protect critical infrastructure, we think the government will be forced to come up with additional regulations that hold organizations accountable for data and confidentiality.

The NIST CSF has more merit as a regulatory compliance mandate than anything else we’ve seen in the past 14 years we’ve focused on information security, compliance, and GRC. This is largely because adoption is not just across the public sector, but also the private sector and internationally as well.

It’s not hard to see why something like the NIST CSF would be some sort of regulation the government would pass, so any efforts to operationalize the framework will certainly help toward that. It’s a good thing to do anyway, whether it’s a regulation or not. As we’ve explained previously, the NIST CSF can help organizations deal with attacks and complement other control frameworks you might have in place.