NIST CSF, Eight Years Later:  A Conversation with Matt Barrett and Stu Daniels

Rick Tracy
Rick Tracy
April 12, 2022 • 3 min read

Anyone who follows cyber risk management is aware of the NIST Cybersecurity Framework, and understands the profound impact it’s had on the industry over the past eight years.

Being one of those people myself, I have been tracking and championing the NIST CSF since it was created – participating in conversations with the development team at the time. I was able to revisit the topic last week with my good friend Matt Barrett, who was the CSF program manager at NIST from 2014-2018.

During the interview, Matt provided some insights into how the CSF came to be, who has adopted the CSF, and how the CSF might evolve over time. Stu Daniels, the security manager for the Ministry of National Security Headquarters, Government of Bermuda, joined us and discussed his personal experience implementing the CSF to explain the benefits this specific framework can offer.

If you didn’t have a chance to catch the webinar, the on-demand version is available here.

Following the interview, I felt there were a few interesting topics that came up that warranted a little more discussion:

  1. If the NIST CSF was originally developed for critical infrastructure sectors, why hasn’t there been greater adoption by critical infrastructure sectors?  As we discussed on the call, the Government Accountability Office (GAO) has issued reports over the past few years explaining that adoption has been largely inconsistent and lacking in many critical infrastructure sectors. This makes it difficult to understand the cyber risk posture across all 16 critical infrastructure sectors, and to determine if the CSF is effective for managing cyber risk.

    Based on current world events, the threat (and potential impact) of cyber attacks on our critical infrastructure is a serious issue. How do we get these organizations to take proactive steps toward managing cyber risk? Is it time to re-think the voluntary nature of the CSF – should there be mandates, or is there another way to incentivize adoption? Personally, I think that some form of mandate is the only way – perhaps CSF implementations or profiles for each critical infrastructure sector that specify minimum cyber hygiene and operational standards.

  2. Is software helpful for operationalizing the NIST CSF? Based on my work with the Xacta cyber risk and compliance management platform over the past 22+ years, you can probably guess my answer here: YES! Cyber risk management has many of the same challenges as other complex and multi-user business functions (i.e. CRM, ERP, and project management). Using role-based workflow software to establish cyber risk management business rules makes perfect sense. Without it, a framework like the CSF exists as a PDF that is usually difficult to understand and, without automation, makes it hard to remember what activities need to be done.

    Beyond process orchestration, software offers other benefits, such as auditing user activity and centralizing all cyber risk management data and artifacts to establish a single source of truth.  Though it may not be essential, I think that cyber risk management software helps organizations implement with consistency, offers transparency into the process, and reduces user error. I recommend investing in purpose-built cyber risk management tooling that will help you navigate your cyber risk management journey. If you are interested, learn more about how Xacta can help.

Thanks again to Matt and Stu for their valuable insights. Again, if you weren’t able to catch the live webinar, I encourage you to watch the recording.

Rick Tracy
Rick Tracy
Former Senior VP and Chief Security Officer
Rick Tracy is the former senior vice president and chief security officer at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.