February 21st, 2016 – FOR IMMEDIATE RELEASE: Washington, DC
INDUSTRY COALITION URGES SPECIFIC AGENDA TO NIST ON CYBER SECURITY FRAMEWORK
A broad coalition of trade associations today filed a joint response to the National Institute of Standards and Technology (NIST) Request for Information (RFI) on cyber security. The letter commends NIST on its work thus far saying the “The Framework has not only proven to be a useful tool in enhancing the nation’s preparedness and resilience, but the process NIST employed in developing the Framework is a model for government industry partnerships.” The group, which includes companies from virtually all sectors of critical infrastructure, then urges NIST to “replicate the process it used in developing the Framework with a renewed focus, not on expanding or refining the substance of the Framework, but working collaboratively with critical infrastructure sectors to promote appropriate use of the Framework.”
The coalition includes ISA, the American Gas Association (AGA), the American Water Works Association (AWWA), the Edison Electric Institute (EEI), Utilities Telecom Council (UTC), and the Internet Security Alliance which includes major defense companies, financial services, health care, IT, Telecom, education, retail and even agricultural corporations.
The letter details how industry is already seeing regulatory efforts that would turn the Framework into a compliance-based system notwithstanding the clear voluntary vision of both the President’s Executive Order that created the Framework, and the Framework itself. “We are extremely concerned that that such regulatory misalignment could undermine the collaborative nature of the partnership which we believe is absolutely critical to make significant strides toward the nation’s cyber security goals.”
The joint letter suggests that “While many larger and/or more mature organizations have reported use of the Framework… use may be lower for less mature and/or smaller entities. It urges that the “next phase of the Framework make understanding the issues confronting these smaller entities and addressing their unique concerns a top priority.”
Specifically the joint letter suggests NIST address five specific topics:
- Prioritization – to make the Framework “more user-friendly for small and mid-sized entities.”
- Cost Effectiveness – “Entities are often challenged to decide where to spend the limited marginal capital available for cyber security enhancements and other investment. The next NIST process could have the goal of developing methods through which varying sized entities could assess which elements in the Framework will be best for their own particular company.
- Incentives – The next NIST initiative could include methods and analyses to determine the delta between commercial and national security and identify incentives that can be deployed to promote the appropriate level of security in the national interest and on a sustainable basis.
- Governance – NIST should evaluate potential future governance models and examine their feasibility including the option of NIST keeping the governance of the Framework
- International Alignment –. Many companies have global operations and disparate regimes create confusion and inefficiencies. NIST should evaluate what impact the Framework has had at the international level and how best to build upon its early success in this area.
For more information, please contact:
- Larry Clinton, President and CEO, ISA, firstname.lastname@example.org / (202) 236 – 0001
- Nadya Bartol, VP Industry Affairs & Cybersecurity Strategist, UTC, email@example.com / 202-833-6809
- Jim Linn – Managing Director, IT, AGA, firstname.lastname@example.org / 202-824-7272
- Scott Aaronson – Senior Director National Security Policy, EEI, SAaronson@eei.org / (202) 508-5481
- Tom Farmer – Assistant VP of Security, Association of American Railroads, email@example.com / 202-639-2220
- Randi Parker – Director, Public Advocacy, CompTIA, firstname.lastname@example.org /