From EnergySec's update on the October Cybersecurity Framework workshop - the intended use of the CSF:
The Framework is really a simple mode of common information security practices which also contains stubs to link it into your broader cybersecurity and business practices (such as risk management). There is nothing particularly new in it, but having a shared model of common practices allows for more standardized language while allowing individual organizations the freedom to tailor the actual use and implementation of those practices to their specific needs. The downside is that the Framework provides very limited assistance on its own for doing things like risk management, goal setting, and business integration.
Of course, this isn’t lost on NIST. They know that the Framework is meant to be (in their words) “additive”. It is meant to elevate, highlight, and communicate common practices that are already in use. It is not meant to change the state of the art or even to provide a full package view of either cyber or info security.
…When looking across organizations (and especially across the public/private partnership divide), the nature of the Framework can most easily be described as a cybersecurity flag. It is a rallying point for discussion between organizations, it provides a baseline for perspective, and the process itself has already demonstrated effectiveness at progressing old impasses that have often found themselves moving, for lack of a flag, in constant circles.
And the unintended use:
Several folks, in a number of the breakout sessions, mentioned that their executives and boards were still – despite every effort made in the language of the Framework itself – using it as a checklist. “Yes, we know that it says use risk management, but go ahead and implement all of it.” For those who really understand either information or cyber security, this is a fairly nonsensical and unsupportable position, but it’s an easy one for an outsider to have and it removes from them the responsibility of really thinking through the problem space or taking deeper action.