|ISA Manufacturing Sector Recommendations
Source: Chapter 10 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity
|Presidential Commission on Enhancing National Cybersecurity
Incentives for Improving Cybersecurity
|“The government should complete the task begun with creation of the National Institute of Standards and Technology Cybersecurity Framework in determining what the most cost-effective elements of cyber defense are. The executive order that resulted in the framework’s creation never saw it as an end in of itself. The order charged the network with setting out a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to cybersecurity.”
|Commission Action Item 1.4.1: NIST, in coordination with the NCP 3, should establish a Cybersecurity Framework Metrics Working Group (CFMWG) to develop industry-led, consensus-based metrics that may be used by (1) industry to voluntarily assess relative corporate risk, (2) the Department of Treasury and insurers to understand insurance coverage needs and standardize premiums, and (3) DHS to implement a nationwide voluntary incident reporting program for identifying cybersecurity gaps. This reporting program should include a cyber incident data and analysis repository (CIDAR).
Commission text: The CFMWG would develop meaningful metrics for better understanding and quantifying the benefits that use of the Framework brings to organizations that adopt it. Most current efforts to measure cybersecurity effectiveness focus on the actions taken by an organization, rather than on those actions’ effectiveness. This group’s work should help address that gap, offering quantifiable information that can be used to improve the Framework and more precisely demonstrate where and how its use is most effective.
Fund IoT Security Research
|“The National Science Foundation, the Defense Advanced Research Projects Agency and the research arm of the Department of Homeland Security should make funding research into this a priority.”
|Commission Recommendation 2.2: The federal government should make the development of usable, affordable, inherently secure, defensible, and resilient/recoverable systems its top priority for cybersecurity research and development (R&D) as a part of the overall R&D agenda.