ITI congratulates today’s release of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The process that went into developing this Framework has been a model for how the public and private sectors can work together to serve the national interest. In effect, the U.S. Government leveraged a tremendous amount of stakeholder input in an open, transparent, and collaborative manner, to create a major cybersecurity policy initiative. Government, industry, and other private stakeholders have a shared interest in improving cybersecurity, and the Framework moves us significantly toward that goal.
The Framework has great potential to help individual organizations manage their cyber risks, collectively strengthening our nation’s -- and the world’s -- cybersecurity. It represents an effective approach to cybersecurity because it leverages public-private partnerships, is based on risk management, and is voluntary. It references existing, globally recognized, voluntary, consensus-based standards, and best practices that are working effectively in industry now. It is technologically neutral, fostering innovation in the private sector and allowing industry to nimbly meet ever-changing cybersecurity challenges. And it nicely articulates how organizations should be factoring privacy considerations into their cybersecurity activities.
Importantly, the Framework is flexible, recognizing that different types of entities might use it for different purposes. Although it is aimed at critical infrastructure owners and operators, it can be useful to entities regardless of their size or relevance to U.S. national and economic security. And ITI itself, although certainly not a critical infrastructure entity, plans to determine how to make use of the Framework, which we think underscores the reality that it is a flexible tool that can be utilized by a wide range of organizations.
While the launch of the Framework may be important, the next steps are crucial. Eyes now turn toward the Department of Homeland Security (DHS) as it develops and implements the Voluntary Program intended to promote use of the Framework as called for under the same Executive Order (13636, “Improving Critical Infrastructure Cybersecurity”). DHS has gotten off to a solid start in creating the Program. Yesterday, ITI released recommendations on how DHS should approach this work, one being that DHS should partner with all stakeholders who want to contribute their ideas, expertise, and experience to the Program’s development. ITI is committed to working with DHS to help it maximize the Program’s positive impact on the cybersecurity readiness of our nation. We look forward to continuing to work with the Administration as it rolls out the Framework as well as with Congress on oversight and additional steps to improve cybersecurity.
Kudos again to NIST for a job well done and for giving us a template for how government can engage with industry on a ground-breaking initiative.