<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework, Cybersecurity Frameworks

The ROI of Implementing the NIST Cybersecurity Framework


For organizations looking to implement a cybersecurity framework or standard, the NIST Cybersecurity Framework is considered the most thorough way to apply best practices. While there are many other frameworks available, the NIST CSF provides a nationally recognized guideline as you scale your business and cybersecurity program. Regulations such as DFARS 252.204-7012, for defense contractors, pull from NIST controls to build the required standards by which contract bids are now evaluated.

We conservatively estimate that implementing the NIST CSF was worth $1.4 million for By Light, a mid-sized government contractor that won a one-year DoD contract awarded in 2017. By Light brings in about $230 million in revenue each year, according to Washington Technology.

The company won the DoD contract, worth $59.5 million alone, even though a competitor underbid the project by about $3 million. The reason was largely due to By Light having implemented the NIST CSF. Our estimate is probably conservative, because a $60 million contract is relatively small.  

The DoD proposals were judged on four factors and cost, with each of the four factors weighted equally.

Winning company (by light) / Losing company

Factor 1: Acceptable / Acceptable

Factor 2: Good (better cybersecurity) / Acceptable

Factor 3: Acceptable / Acceptable

Quality of management: Good (better mgmt. approach) / Acceptable

Projected cost: $59,487,541 / $56,677,105

The winning company exceeded the losing company in two areas. The first was its cybersecurity, which won Factor 2. The second area was a superior management approach, Factor 4.

The winning company won despite bidding $2,810,436 more than the losing company, representing about 5% of the value of the contract. Since each factor was weighted equally in the decision, we attribute cybersecurity for half of the additional value. Therefore, implementing the NIST CSF was worth at least $1,405,218 to the winning company, or 2.5% of the contract.

NIST CSF Could be the key to winning contracts in the future

According to NIST, 87% of Department of Defense contracts have the DFARS 252.204-7012 standard written in them by July 2017. These standards all converge and contain NIST controls. Implementing the NIST Cybersecurity Framework was the critical factor in the DoD’s final decision described above according to the U.S. Government Accountability Office. It was noted that:

“[The winning company] proposed to incorporate the voluntary NIST CSF on top of its compliance with the baseline cybersecurity requirements, which was the basis of the unique strength awarded to its proposal.” (Page 9)

The U.S. Government Accountability Office’s report stated:

“Specifically, the strength was evaluated as follows:

The NIST Framework for Improving Critical Infrastructure Cybersecurity enables organizations to support and improve cybersecurity practices based on their individual business needs, tolerance for risk and available resources. […] It supports using a set of industry standards and best practices to help manage cybersecurity risks that offer tangible benefits that include improved efficiencies. Using this Framework as a management tool will support identifying activities that are most important to critical service delivery and allow for prioritization expenditures to maximize the impact of investment.” (Page 6)

The U.S. Government Accountability Office’s statement went on to say:

“The fact that the NIST CSF is seen as a positive addition to existing cybersecurity standards and guidelines and may ultimately be mandated in whole or in part does not undermine the reasonableness of the evaluated strength for By Light’s commitment to voluntarily implementing the framework before the framework becoming mandatory.” (Page 8-9)

Are Similar Frameworks Still Worth Implementing Separately?

Some frameworks are very similar to each other in function. The losing company claimed that the RMF which the company had implemented was so robust, adding the CSF didn’t matter. In short, they were saying the frameworks are pretty much the same.

While we cybersecurity aficionados cringe at the idea that “frameworks are pretty much the same,” the argument in this case is far from ludicrous. Both frameworks were designed by NIST, but for different audiences. RMF is mandatory for the federal government, and CSF is optional for the private sector. Both are typically fulfilled with controls from the same NIST 800-53 catalog. In the losing company’s words, “Given how complete the DoD RMF already is, the CSF may have little to add when it is ultimately incorporated.” (Page 8)

Although it’s true there are similarities between frameworks—which means your second framework will be easier to implement than the first—the U.S. Government Accountability Office ruled similar frameworks are separately valuable. To quote the report: “The two NIST standards are separate and complementary.”

This means the U.S. Government, at least when awarding contracts, considers each cybersecurity framework, even those which are similar, as “distinct” and “complementary.” That suggests companies should implement multiple cybersecurity frameworks in order to gain an advantage in bidding on U.S. Government contracts.

On that note, it might be worth implementing as many frameworks as possible since each framework will be progressively easier to implement. But unfortunately, the more frameworks you implement, the more difficult it will be to keep track of them all, especially for companies managing these processes with spreadsheets. However,  there are cybersecurity management solutions that are working to streamline NIST and DFARS compliance.

How to crosswalk from one framework to another

Because cyber frameworks overlap, your second framework should be easier to implement than your first. But crosswalking — determining how and where an outcome in one framework translates into another framework — can be difficult and tedious.

To manually crosswalk between two frameworks, you must find a map between them. Appendix H of NIST 800-53 Revision 4, for instance, provides maps between NIST 800-53 and ISO 27001. From there, you associate compliance notes, evidence, and artifacts between the frameworks according to the mappings.

Done manually, this can be an arduous undertaking of sorting and toggling between standards, potentially taking days or even weeks. If you have started with ISO or PCI and want to project that work into the Cybersecurity Framework, you will have over one hundred controls and associated compliance states needing to be mapped to 98 subcategories and 301 controls.

by CyberSaint co-founder Scott Schlimmer on CSO Online.

CyberStrong for DFARS, NIST, and any other framework like GDPR, PCI, etc can help you easily address any mix of standards, including the robust NIST Framework. CyberStrong helps you scale compliance and risk management framework by framework. You can now add and rapidly comply to new frameworks in-house and continuously manage and report on your compliance posture with ease.

You may also like

Leveraging Cyber Risk Dashboard ...
on March 20, 2023

Cybersecurity risks have a far-reaching impact. As we’ve come to know, the effect of cyber has grown far beyond information systems and can render a company obsolete. The data and ...

Private Equity Firms are Embracing ...
on March 15, 2023

Private Equity firms pride themselves on implementing best practices in every functional area within their portfolio companies. Cyber Risk Management is emerging as a core ...

How to Use Cyber Risk Analysis to ...
on February 28, 2023

Cyber risk management has become more challenging to manage and monitor as the cybersecurity landscape has developed and digitized. Numerous endpoints, regulatory changes, cloud ...

The Top 10 Cybersecurity Dashboard ...
on February 23, 2023

As cybersecurity continues to become a more significant focus for organizations, other C-suite leaders must get up to speed on cyber risks and their impact on the organization's ...

Leveraging CISO Dashboard Metrics ...
on February 21, 2023

As a Chief Information Security Officer (CISO), it is essential to clearly understand your organization’s cybersecurity posture and how to improve it continuously. One way to do ...

The Importance of Monitoring Cyber ...
on February 14, 2023

Cybersecurity has become a critical concern for businesses and organizations in today’s digital age. With the increasing number of cyber threats and attacks, monitoring ...