2025: The year we run the NIST Framework in over 50 organizations

We've been running the Framework in corporations throughout the year.

In this post, I'll share with you the main results and how this initiative has encouraged teams to work together to achieve the highest possible compliance.

In early January, we started using the Assessment provided by Veeam. In our client base and new logos. Today, at the end of October, we've already surpassed 50 clients, guided by scope of work, documentation, numerous meetings, and excellent commercial results.

After the Framework round, we typically move on to a series of Scope of Work and Commercial Movement

This has been quickly moving customers, distributors, manufacturers, and partners, and it's being treated with priority, according to projects already underway within organizations.

Yet another reminder that backup, often seen as a dull necessity, once again proves to be the unsung hero when it matters most.

Reviewing the model without governance

Remembering that governance was the last tower added to the Framework.

So, how do we apply it in our daily lives?

Let's get practical. The document helps guide us in creating the model according to the tool you want to create a "maturity diagnosis" for.

We have used the following model:

To share my experience, I chose 3 different cases and I will share the worst scores as well as the best, and which ones are most crucial to be addressed in the diagnosis.

Client	Identify	Protect	Detect	Respond	Recover	Maximum Score	Customer Score	Current Maturity
Customer 1	50%	92%	38%	95%	47%	280	167	60%
Customer 2	20%	62%	25%	0%	33%	280	81	29%
Customer 3	0%	0%	0%	50%	0%	280	20	7%

These examples show how maturity can evolve with a few weeks of work or the acquisition of tools to cover the towers.

Functions with the highest average gaps (most critical):

• Detect → average gap of 79%

• Identify → average gap of 76.6%

• Recover → average gap of 73.3%

Action Plan, Example: Customer 1

The customer had the highest compliance among our examples, but had some critical gaps. In this case, the customer still needed Veeam ONE and had a project pipeline due to network and physical limitations, in addition to not yet having cloud protection. Action Plan,

Example: Customer 2

With 29% compliance, a project executed in 4 days achieved 55% compliance. No investment required, just hours of service. The customer already had Veeam Enterprise Plus and Veeam ONE licenses. However, the tool was in default mode.

Example Client 3

The client doesn't have a backup tool or repository machines.

They rely only on snapshots and backup scripts.

They have a long journey to achieve the ideal scenario.

• Scenario Transformation The right investment at the right time.

Amidst so many attacks and uncertainties, some clients are able to change their infrastructure in a timely manner to get back up and running after an attack or disaster.

Not just when the problem has already spread and the client has no options for recovery.

Still on customer 1:

What actions were taken:

Security

• Configure Yara Scan

• Enable FEA and MA

• Configure AV to scan backup in bubble

• Normalize 15 non-compliant items

Deploy Veeam ONE

• Enable reporting

• Veeam Threat Center dashboard

• YARA content analysis

• Real-time monitoring, analysis, and alerts

• Reports and dashboards

• Intelligent diagnostics and remediation actions

• Capacity planning and chargeback

Recoverability

• Configure automated restore tests – 30 VMs

• Document IVR

• Enable Enterprise Manager

• Configure Sandbox

Operational

• Job reconfigurations

• Add a Jump Server for console access

• Enable session history storage

After these projects we had the following result:

• NIST and Veeam Events in Brazil.

Very good!

After sharing these practical cases, I also share the experience we've had at events, understanding from customers how they've dealt with this type of experience.