There’s a problem with a national or international standard starts using terms neither they, nor anyone else, seem to have solid definitions for. This is the case with the term Cybersecurity outcome from the new NIST Cybersecurity Framework document. Read the short PDF we wrote about this, then please take the survey. The PDF is HERE.

In short, it isn’t entirely clear in the NIST Cybersecurity framework what a Cybersecurity outcome is.

A) Some are going with a more-or-less implied interpretation: A Cybersecurity outcome is one of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework. However, that definition isn’t actually given in the document.

B) Others are stating that is an extended, implementation interpretation inferred from multiple NIST and other documents: A Cybersecurity outcome is the business need defined and tiered implementation of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework.

What’s your vote?