February 28, 2017

(WASHINGTON, D.C.) – The Internet Security Alliance said today that the legislation the House Science Committee is scheduled to consider this week is a step in the right direction, and that it hopes to work with the Committee to refine it as it moves forward through the legislative process.

The bill calls on NIST to define what constitutes use of the NIST Cybersecurity Framework and develop outcome-based and quantifiable metrics to help federal agencies analyze and assess the effectiveness of the Framework.

“Given the increasing severity of the cyber threat, it is essential that we clarify basic elements of the Framework, such as defining what it means to use the Framework and what it means to be effective,” said Larry Clinton, President of the ISA. “This bill takes the important first steps to resolve these problems and allows the private sector the opportunity to voluntarily follow as they see fit.”

ISA has long called for evaluating the Framework for not only effectiveness and prioritization, but also cost-effectiveness, as called for in President Obama’s Executive Order 13636, and is encouraged by the Committee’s work. While the bill does not call for a cost-benefit analysis, it does call for developing a template for federal agencies on how to use the Framework, which the private sector could, in effect, voluntarily adopt as implementation models and modify for use for their particular sector.

“We are long past the time where we can rely on anecdotal reports from various entities as to how the Framework is being used. Three years after its release, we have no objective data that reliably tells us if the existence of the Framework has actually changed behavior, if those changes have actually improved security, and critically if use of the Framework is cost effective. We look forward to working with the Committee to add this critical piece of the Framework, as called for in the Executive Order that created the Framework in 2013,” Clinton said. “Companies will naturally use elements of the Framework that have been shown to be cost effective. Having data like this – even it is just from federal agencies – would be one of the best bulwarks we can have against creating a regulatory environment in cybersecurity.”

“While the bill does not address the need for a cost-benefit analysis of the Framework – which is something ISA will like to see in the near future – this bill is a positive step to creating a sustainable cybersecurity system,” said Clinton. “ISA applauds the House Science Committee’s efforts to address the systemic issues within cyber space.”


About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit or 703-907-7090.