An Introduction to Security Frameworks

Lloyd McCoy Jr.By Lloyd McCoy, Market Intelligence Manager

A key takeaway from RSA Conference 2019 was the importance of security frameworks. They encompass security best practices and help government agencies keep their heads above water amid all the cyber threats that are out there. When breaches do occur at the federal level, the post-mortem usually reveals some deficiencies in compliance.

For the federal government, the National Institute of Standards and Technology (NIST) is the primary source for security standards. The Office of Management and Budget (OMB) requires that agencies comply with NIST guidance. If you sell technology to the government, it’s important that you be familiar with security frameworks, because they play a big factor in why agencies buy what they buy in terms of security tools and services.

Security frameworks can largely be split into three categories: Control, Program and Risk.

The purpose of control frameworks is to identify a baseline set of controls, assess the state of technical capabilities, prioritize the implementation of controls and develop an initial roadmap for the security team. It’s important to become familiar with NIST SP 800-53, an important publication that catalogs security and privacy controls, because it helps agencies measure their impact. Government departments and agencies use NIST SP 800-53 to inform their purchasing decisions, specifically around incident response, configuration management, risk assessment and access control solutions.

Then there are program frameworks that help government offices assess the state of their overall security programs, build a comprehensive security program, measure maturity, conduct industry comparisons and simplify communication with industry. The NIST Cybersecurity Framework is a prime example of a program framework. It helps agencies develop a high-level view of the security life cycle (identify, protect, detect, respond and recover), as well as understand their current security posture and associated gaps. Compliance with the NIST Cybersecurity Framework requires that program managers have in their arsenal solutions such as asset management, identity management, continuous monitoring, mitigation tools, and response/recovery planning solutions.

Finally, there are risk frameworks that agencies use to define key process steps for assessing and managing risk; structuring risk management programs; prioritizing security activities; identifying, measuring and quantifying risk; and prioritizing security activities. The main standards that agencies follow here are NIST SP 800-30, NIST SP 800-37, and NIST SP 800-39. If you can demonstrate how you can help agencies get inside the attacker’s kill chain, uncover vulnerabilities and mitigate impact of breaches, you’ll find a receptive audience among agencies seeking to decrease their risk posture.

While compliance with these frameworks is mandatory, agencies and the offices under them, are at various levels of maturity. Therefore, both understanding your customers’ environments while becoming intimately familiar with these security controls is critical. Helping agencies comply with these frameworks will keep you in sync with their fiscal priorities and, of course, bring about better overall security.


Expand your reach and uncover new opportunities in government IT markets. Learn more about how immixGroup’s Market Intelligence team can help drive your business.

Keep up with IT trends in government. Subscribe to immixGroup’s Government Sales Insider blog.

About Lloyd McCoy Jr.
Lloyd McCoy is the manager of immixGroup’s Market Intelligence organization, leveraging market analysis and purchasing trends to help immixGroup suppliers and partners shorten their sales cycles. He has a M.S. in Strategic Intelligence from the National Intelligence University, a M.A. in Public Policy and a B.A. in Political Science, both from the University of Maryland. Prior to joining immixGroup, Lloyd was a senior analyst in the Intelligence Community for eight years, serving in a variety of senior analytic and project management positions in the U.S. and abroad.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: