Jump to content


  • Content Count

  • Joined

  • Last visited

About matthew.smith

  • Rank

Profile Information

  • Gender
    Not Telling
  • First
  • Last
  1. matthew.smith

    CSF Implementation Panel @RSAC2017

    As part of my daily job, I work with the NIST Cybersecurity Framework team. It is my pleasure to share with you that after 3 years of dialog with the community, the Cybersecurity Framework has been updated. This draft update, version 1.1, draws from discussions had at workshops, public comment periods, and general feedback received from stakeholders. The update is a first and foremost an attempt to refine and clarify some aspects of the Framework. Additionally, the update adds additional information on topics that have been brought up as gaps in the original version, namely: cyber supply chain, measurement, and authentication. NIST is seeking comment on the draft from the community by April 10th 2017. If you plan on being at RSA2017 in February, I will be moderating a panel on the Cybersecurity Framework implementation and update. Scheduled to join me are: the NIST Cybersecurity Framework Program Manager Matthew Barrett, Venable Senior Director for Technology Risk Management John Banghart, as well as Center for Internet Security VP and CFORUM Executive Director Tony Sager. We will be discussing the who, the what, and the where of the Framework at 8:00am on Thursday 2/16/2017 in Moscone North 131. For those attending in person or who see the recap later, continue the conversation here, on CForum. Come join us.
  2. matthew.smith

    Threat Informed Risk Management

    Version 3


    This document shows users how to implement threat informed risk management through use of the Cybersecurity Framework and NIST SP 800-154.
  3. matthew.smith

    Current or Target super smash debate

    In my humble opinion. The issue boils down to: it depends on what Tier you are on. If you start with a Current Profile and move to a Target Profile, you are Tier 1. If you start with a Target Profile and move to a Current Profile you are a Tier 2. In the end, having both is essential for iterative progress. This topic will be the basis for the next white paper.
  4. There is a new resource in the Downloads folder! Together, Nemertes Research and G2 Inc have published a white paper on how to integrate a business risk portfolio (BRP) approach and the cybersecurity framework (CSF) released by NIST in February 2014 - Risk Management Through the Framework. This paper defines both the steps for the CSF and how to implement those steps using the Nemertes BRP approach. By implementing this guidance, organizations can gain efficiency and effectiveness to their cybersecurity programs by translating risk into actionable remediations.
  5. matthew.smith

    Risk Management Through the Framework

    Version 1.0


    By combining a business risk portfolio (BRP) approach and the Cybersecurity Framework (CSF), organizations can effectively manage cybersecurity risk.