Robert Mayer

Study to Assess Use of NIST Cybersecurity Framework

The National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF) was collaboratively designed as a tool to help companies strategically manage their cybersecurity risk. Policy discussions on both the national and international level since its creation in 2014 have credited this Framework for helping to improve corporate cybersecurity risk management practices. However, there is relatively little information about how companies have adopted and used the NIST Cybersecurity Framework (or other risk management frameworks), how their cybersecurity practices have changed as a result of its use, and what perceptions of the Framework’s impact have been to date on issues such as cybersecurity due diligence and defining a cybersecurity standard of care.


The Communications Sector Coordinating Council (CSCC), which USTelecom SVP Cybersecurity Robert Mayer chairs, recently submitted a response to a series of questions from the Government Accountability Office (GAO) related to the sector’s use of the Framework. In the letter to the GAO, we described a wide variety of specific activities undertaken by sector associations and member companies to advance awareness and use of the CSF. While these activities are vital to the success of the framework, it is also important that advocates of the framework and its evolution understand how individual enterprises are faring and any challenges that they face when considering its use.


Researchers at Indiana University, the University of Arizona, and the Belfer Center at the Harvard Kennedy School are conducting a study to help fill in these gaps by analyzing how the NIST Cybersecurity Framework is being used, which will help companies understand current cybersecurity practices in their industry.  USTelecom is asking members to participate in the study by filling out a short survey (e.g., less than 15 minutes) describing member use of the NIST Cybersecurity Framework or alternative risk management framework. Participation is entirely voluntary, and participants may terminate the survey at any point.  After researchers have compiled these data, participants will receive a complimentary copy of the resulting Harvard white paper that will highlight important trends in NIST CSF adoption and use within the industry.