My question for the community is: Does your organization leverage federal government requirements, beyond NIST guidance, to establish your policies and implementation guidance for cybersecurity and risk management? For example, minus the reporting requirements, the bullet list of email and web security parameters could be replicated for a company.
Re: Binding Operational Directive 18-01: Enhance Email and Web Security
This really depends on the regulation or guidance to be adopted and/or the business benefit of it. I know that some of the enterprises out there do adopt some federal regulations, majority however do it from a business perspective (bidding on contracts) rather than actual security concerns.