The conclusion from the survey is that most U.S. organizations' cyber-security systems and programs are not sufficient to withstand the persistence, tactical skills, and technological knowledge of the adversaries determined to invade and exploit the data systems of U.S. public and private cyber systems and operations for their own ends. Nation-states and other criminals are continually and rapidly updating their tactics in order to combat advances in security safeguards implemented by businesses and government agencies. Survey findings indicate that U.S. organizations have done little to invest strategically in cyber-security in relation to the overall business or agency strategy. Cyber-security spending will be most productive when the allocation of resources is based on specific business risks. Only 38 percent of survey respondents reported they have a methodology to prioritize security investments based on greatest risk and impact on the organization's business strategy. Cyber-security programs should also be designed with flexibility that enables an organization to address cyber threats quickly as they multiply and evolve. The survey found that many organizations fail to invest in the personnel and process capabilities that enable a rapid identification and response to prevent and mitigate threats. Funding for cyber-security must focus on data analytics that enable cyber-security personnel to identify patterns in anomalous network behavior and to have the resources of knowledge and funding to act quickly and effectively. This report outlines the best practices and standards for cyber-security of the National Institute of Standards and Technology (NIST).