On December 5, the National Institute of Standards and Technology (NIST) issued its Update on the Cybersecurity Framework, summarizing stakeholder feedback on the 10-month-old, voluntary Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) version 1.0. The Framework is a tool to guide entities through steps to identify, protect, and defend their assets, and respond and recover when cyber incidents happen—in short, helping entities manage their cyber risks. NIST gathered feedback on the Framework during a request for information, which received 57 responses from industry, academia, and governments, including multiplier organizations such as ITI, as well as NIST’s 6th Cybersecurity Framework Workshop in October, which was free and open to all.
NIST’s update is extremely helpful for sharing initial lessons and prioritizing next steps. The update reports general awareness about, and market acceptance of, the Framework, although more could and should be done, and respondents provided many concrete suggestions in this regard. Organizations are using the Framework in various ways, including communicating with stakeholders about cybersecurity practices; demonstrating alignment with the Framework’s voluntary, global cybersecurity risk management standards, guidelines, and best practices; and, building or improving cybersecurity risk management programs. Respondents urged against moving to a Framework 2.0 to allow more time to understand and use the current version. This underscores that the update must be reviewed and analyzed in the early stages of a tremendous endeavor – the process has only just started.
While ITI believes all of the update’s observations and recommendations are important, we highlight below the key actions U.S. policymakers should take internationally, and in Washington, in 2015 to complement and strengthen the activities around the Framework and cybersecurity generally.
First, the update reports, “much more work is needed to ensure the Framework is known and understood overseas.” We strongly agree. Foreign governments, many at important junctures in their own cybersecurity policymaking, are carefully watching U.S. activities. ITI visited some key foreign capitals alongside NIST in 2014 and witnessed the deep interest in what we are doing. While we do not expect foreign governments to adopt the Framework, we hope all governments will work in a similarly inclusive and transparent manner and create globally workable policies that enable entities to better manage their cybersecurity risks. ITI plans to augment our global outreach in 2015, and NIST and the administration should do so as well. In fact, NIST’s travel budget should be increased to support its abilities in this regard.
Second, policymakers can undertake many useful domestic initiatives in 2015. While Congress should allow more time for the Framework to mature and enhance cybersecurity practices before taking specific legislative action, Congress can promote and support the use of the Framework within the federal government. ITI is currently developing cybersecurity legislative recommendations for the 114th Congress and looks forward to announcing them soon.
At the same time, the administration can undertake a range of activities to complement Framework efforts. For example, the administration should continue to focus on the other important workstreams under the February 2013 Executive Order 13686, Improving Cybersecurity in Critical Infrastructure, and the Department of Commerce should reinvigorate its Internet Policy Task Force (IPTF) and ask what activities the IPTF and Commerce generally should undertake to improve cybersecurity, particularly outside of the critical infrastructure sectors, given the changed policy and threat landscape since the IPTF’s 2011 “Cybersecurity, Innovation, and the Internet Economy” Green Paper.
All policy activities—both by Congress and the administration—should be undertaken in the same open and transparent manner by which the Framework was developed. Many people in the U.S. and abroad have remarked about the enthusiasm and activities across multiple industry sectors surrounding the Framework. This is because we all contributed ideas and expertise and NIST listened—resulting in a truly useful tool. ITI and our members look forward to continuing to contribute to effective cybersecurity policies in 2015.