(WASHINGTON, D.C.) – The following statement may be attributed to Larry Clinton, President and CEO of the Internet Security Alliance:
“The 1.1 version of the NIST Framework may prove to be more impactful that the original version released in 2013.
“While the initial NIST CSF was a landmark effort, especially in terms of the process NIST used to develop it, substantively it was largely a reorganization of existing standards and best practices long in use in the marketplace. While it had important benefits, such as providing common language for these differing models, it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development. The current draft makes significant advancements toward achieving the goals of the original Executive Order.
“To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization. Indeed, the new draft makes clear that adaptation of the NIST CSF to some generic compliance regime was never intended and is, in fact, inappropriate.
“This reflects an understanding on the part of NIST that, over the past few years, the marketplace has developed a series of analytical tools to help organizations use the framework in a method that is cost-effective for them. We very much look forward to the next phase suggested in the v1.1 roadmap of focusing not so much on expanding the Framework itself, but assisting organizations on how to use the Framework in a cost-effective fashion, based on their unique situation.
“Finally, it must be emphasized that the process NIST used, while not identical to the original process, remains a model ‘use case’ for how government needs to engage with its industry partners to address the cybersecurity issue. Due to the inherent interconnectedness of the Internet, sustainable security can only be achieved through a true partnership. The NIST model stands in stark contrast to the antiquated regulatory models we see used in other parts of the world and even in some isolated cases here in the U.S. NIST treats its industry partners like partners, not stakeholders. The NIST approach generates trust and effective solutions. Much can be learned from following the NIST model.”
About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit www.isalliance.org or 703-907-7090.