A little more than six months after the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity (Framework) version 1.0, the agency issued a request for information (RFI) to get feedback from stakeholders’ on their experiences with the Framework and their recommendations on next steps. NIST is seeking input, and sharing responses, in the same open and transparent manner by which the Framework was developed, and the Information Technology Industry Council (ITI) was pleased to respond to the RFI.
Overall, we are seeing the right trends illustrating that the marketplace is accepting the Framework. Since releasing the Framework in February 2014, NIST has focused on raising awareness of the Framework and how it can be used to manage cyber risks, and thus the RFI’s questions rightly begin with awareness. We commend the activities NIST and the U.S. Administration generally have undertaken around the country and the world to this end, and as described in our filing, ITI and our member companies have augmented this with extensive outreach of our own.
This outreach is working: ITI companies are seeing rising awareness both internal to their organizations and among their customers, as well as among foreign audiences. However, much more awareness is needed and we urge NIST and the administration to double down on these efforts, particularly vis-à-vis international audiences.
The questions on experience (use) are important, but they should be put into context. The goal is not “adoption” of the Framework, since it is not designed to be a one size fits all approach, but about better managing cyber risks and improving resilience amidst constantly changing cyber threats.
In our comments, ITI reported a number of positive ways the Framework is being used. Companies are having new conversations about cybersecurity risk management both internally (e.g. with senior management) and externally (e.g. with boards of directors, partners, suppliers, and customers) and making decisions based on these conversations. The market is also responding to serve demand. Many ITI companies are developing new products and services–or mapping their existing products and services–to help others use the Framework and manage cyber risks. The tech sector has long built cybersecurity into our products and solutions, and we are pleased to be able to help entities of all sizes in multiple industry sectors leverage the Framework to better manage risks.
Finally, we must underscore a tangential but critical benefit stemming from a spectrum of activities associated with the Framework. The workshops and related events have brought together multiple sectors to work on a common task, which has fostered and/or augmented cross-sectoral discussions (both outside and inside of government) and collaborations on cybersecurity risk management—essential activities given our growing interdependencies through technology.
There is a lot to do moving forward. The nine areas identified in the Framework’s Roadmap are important to improving cybersecurity, and further research and/or industry-led standards development work on them could be very helpful. However, we caution against adding new functions, outcomes, or informative references to the Framework Core until they have matured and gained broad voluntary industry acceptance and adoption. We particularly urge caution in the areas of conformity assessment, supply chain, and technical privacy standards. Regarding the latter, while we agree that work in the privacy engineering field is valuable, and that NIST can contribute to this work stream, an initiative focused on the development of a framework or standard is not recommended in the privacy area where discussion is still underway on underlying public policy goals.
Accordingly, we suggested to NIST, as we did in our October 10, 2014, letter to the agency specifically on the privacy engineering initiative signed by ITI and twelve other associations, that NIST pivot away from developing a framework or standard and focus its work on developing a catalogue of privacy engineering solutions. Such a resource would be useful to organizations seeking to improve how they build privacy into their information management structures.
Aside from the Framework, there are many other essential roles NIST and the Department of Commerce more broadly should play in cybersecurity policy in the coming years, particularly outside of the critical infrastructure sectors. The Commerce Department’s primary mission is to promote economic growth and innovation—both of which underpin cybersecurity. The Department could reinvigorate its Internet Policy Task Force and revisit some of the ideas put forward in the Task Force’s 2011 “Cybersecurity, Innovation, and the Internet Economy” Green Paper.
ITI strongly believes the Framework can help improve cybersecurity, and we are committed to helping it succeed. NIST is to be commended for seeking to understand what is working and what can be improved. While information captured via this RFI will be extremely helpful for sharing initial lessons and prioritizing next steps—and understanding areas where improvement is needed—answers must be reviewed and analyzed in the context of the early stages of a tremendous endeavor.
Since the landscape will change as awareness and use of the Framework’s tools continues to grow, we recommend that NIST ask these questions again in a year so that we can see how experiences evolve.