The Internet Security Alliance (ISA) is a multi-sector trade association representing mainly the chief information security officers of Fortune 100 companies. ISA has a long-standing interest in seeing that the Framework achieves its objectives of better private-sector cybersecurity. ISA’s Cybersecurity Social Contract, published in 2009, first called for the collaborative industry-government development of standards and practices suitable for voluntary adoption reinforced by market incentives that lead to Executive Order 13636 and the NIST Cybersecurity Framework (CSF). Since the CSF was unveiled in 2013 ISA has worked with the National Association of Corporate Directors (NACD) to integrate models such as CSF successfully into enterprise wide risk management programs.
FAIR Institute is an organization with over 1,200 industry members that promotes a standard analytics risk model (FAIR) for information and operational risk that facilitates an economic analysis of cyber risk. FAIR has already been listed by NIST on the NIST CSF Industry Solution Page as a complementary analytics model for quantifying and prioritizing risk.
NIST’s process of private sector outreach and its proven track record of adjusting the Framework according to public input is a model among federal agencies for public-private partnerships. ISA and FAIR believe this process should be extended in a fashion similar to that which resulted in the development of the NIST CSF, but this time focused on implementation. ISA and FAIR believe that their models are complimentary to the CSF and that a useful outcome of the NIST 1.1 effort would include illustration of how these models can be used to create a broader and economically sustainable approach to enterprise-wide cybersecurity. (Click the link to read the whole filing)