ICT Sector Actively Adapting NIST Cybersecurity Framework for Sector Use, Stakeholders Say
The information and communications technologies (ICT) sector is now substantially aware of the National Institute of Standards and Technology’s Cybersecurity Framework and is working to align it with often-robust existing cyber risk management practices within the sector, industry stakeholders told NIST in filings released through Tuesday. That level of awareness also extended into state governments, state agencies said. NIST sought feedback from stakeholders within critical infrastructure sectors about the “Version 1.0” framework, which it released in February 1402130026. Comments were due Friday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
ICT sector groups indicated there was sector-wide awareness and burgeoning use of the framework. The Telecommunications Industry Association (TIA) said there was “widespread” awareness (http://1.usa.gov/1wAlWA6), as did NCTA (http://1.usa.gov/1w5evRJ). USTelecom said there was “substantial” awareness (http://1.usa.gov/1D9TN79), while CTIA said the wireless industry is “fully engaged” in using the framework (http://1.usa.gov/1trr0dn). Almost all ICT sector commenters said it is too early to evaluate the framework’s effectiveness because the sector is in the process of aligning the NIST framework with existing risk management practices. The ICT sector has been seen as a main driver of the NIST framework’s development because it was already implementing cyber risk management practices before President Barack Obama issued a cybersecurity executive order in 2013 1302140016.
Not all ICT sector stakeholders are aware that the framework is voluntary or that it is meant to only apply to critical infrastructure companies, TIA said. That lack of universal awareness is due in part to remaining concerns that the framework could become a “de jure or de facto” set of regulations, said the Utilities Telecom Council. UTC said sector-specific guidance on the framework, currently in development through the FCC Communications Security, Reliability & Interoperability Council Working Group 4, will help alleviate those concerns (http://1.usa.gov/1D9YD4w). Other sector groups also urged the federal government to maintain the framework as a voluntary set of best practices, with USTelecom saying a flexible and voluntary framework will be necessary to sustain industry enthusiasm. NTCA said it would be a “strategic mistake” to turn the framework into a prescribed set of standards, and mandates aren’t necessary to encourage rural broadband service providers to meet the cybersecurity needs of customers (http://1.usa.gov/1D9Zbr0).
Small and medium-sized ICT sector businesses have a “mixed” record of awareness and use of the framework in part because they may be “hesitant to implement specific changes related to the Framework until there appears to be consensus on the viability of utilization,” CompTIA’s TechAmerica said (http://1.usa.gov/1rt2Ffw). Small carriers are using the framework less frequently due in part to a lack of financial resources, resulting in a gap that more clearly defined incentives could close, NTCA said. Effective incentives for small carriers include technical assistance from federal agencies and rule changes to let carriers more effectively recover cybersecurity costs, NTCA said. The Internet Security Alliance said there are significant barriers to small business adoption of the framework, repeating ISA's earlier concerns that the framework hasn’t been proven to be cost effective. If the federal government can provide "hard evidence of cost effectiveness,” companies “will naturally take note and adopt its principles ---because it is cost effective to do so,” ISA said (http://1.usa.gov/1nkUlDn).
Individual ICT companies generally agreed with the assessments of sector groups. But Microsoft said a lack of progress on incentives has made it an open question “whether the [executive order’s] voluntary approach will prove persuasive without activities that catalyze use of the Framework” (http://1.usa.gov/1sDtm6y). Dell said the framework should transform into a tool for all businesses rather than just critical infrastructure entities (http://1.usa.gov/ZqMx7P).
The National Association of State Chief Information Officers found in a joint NASCIO survey with Deloitte that cybersecurity was consistently a “primary concern and priority” for state governments, with 94 percent of state chief information security officers saying their state governments are using the NIST framework are welcoming guidance from the agency. About 47 percent of state CISOs said they planned to fully use the framework within the next six months to a year, while about 39 percent said they were studying the framework for state use, NASCIO said. Insufficient funding, more sophisticated threats and a shortage of cybersecurity “talent” are the main cyber risk factors for state governments, the group said (http://1.usa.gov/ZCwHHM). The Texas Department of Information Resources (http://1.usa.gov/1u1nZKV) and the Virginia Information Technologies Agency (http://1.usa.gov/1z89Gg0) reported they were working to align the NIST framework with their existing cyber risk management practices.