Business lobbying groups are pushing back on plans by federal scientists to add third-party measurement of cybersecurity to a voluntary framework designed to help private companies improve its defenses against hackers, cybercriminals and online spies.
A draft proposed revision of the National Institute of Standards and Technology’s Cybersecurity Framework, to be known as version 1.1, includes a new section on “measuring and demonstrating cybersecurity.” But public comments filed by business groups voice concern about what metrics should be used for measurement and how public that demonstration ought to be.
“Measuring state and trends over time, internally, through external audit, and through conformity assessment, enables an organization to understand and convey meaningful risk information to dependents, partners, and customers,” reads the introduction to the proposed new section….SOURCE