Stakeholders Urge Caution on Metrics Language in NIST Cybersecurity Framework Update
The National Institute of Standards and Technology should be cautious in finalizing language in its draft v1.1 update to the Cybersecurity Framework on developing effective cybersecurity metrics, and should ensure the private sector continues to take the lead in developing the process for implementing the framework, stakeholders commented. NIST sought comment in January on the framework update, which included metrics language aimed at starting a conversation on how to effectively measure use of the framework (see 1701100084). The comments will aid in structuring discussions during NIST's planned May 16-17 framework workshop in Gaithersburg, Maryland, the agency said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The U.S. Chamber of Commerce urged caution in implementing v.1.1 metrics. The update “should make clear that there are no one-size-fits-all methods to employing metrics and administering” risk management activities within any industry sector, the chamber said. NIST should consider also developing metrics on national cyber threat deterrence, though that's “technically outside the scope” of the agency's work on v.1.1, the chamber said. It said the May gathering may help NIST clarify v.1.1 but the agency “may need to hold follow-up gatherings to work through any significant remaining issues.”
The Internet Security Alliance and FAIR Institute jointly urged a multistakeholder process like the one the agency used to create the original 2014 framework for the purpose of implementing the framework. “A greater emphasis needs to be placed” on “economics” of the framework to make it a fully effective tool for the private sector, ISA and FAIR wrote. They said a new multistakeholder process could create a methodology for framework use that will allow private sector entities to use the document “in the most cost effective manner to meet their unique cyber-risk profile.”
ISA and FAIR “reject the assertion that security can't be measured and hence efforts to determine cost effectiveness are fruitless. If cost effectiveness cannot be measured the only response would be for companies to implement absolutely every possible security measure, thus dooming any pretense of a risk-based approach.” The groups raised concerns about language in v1.1 that “may open the door to mandatory or quasi-mandatory compliance regimes.” They suggested NIST adopt the American Institute for CPAs' voluntary cybersecurity reporting framework, which “organizations can use to communicate useful information about their cybersecurity management program to a broad range of stakeholders.”
Rapid 7, Symantec, the Center for Democracy and Technology and others jointly told NIST the agency should “explicitly incorporate” vulnerability disclosure guidance into the framework, including adding a subcategory to the document's core. “Building such processes into the Framework would not be a major revision, but rather a clarification of existing elements of the Framework that will help organizations evaluate their preparedness to respond to vulnerability information and communicate with internal and external stakeholders,” they commented.
The R Street Institute urged NIST to address cyber insurance in v1.1 and consider further work on the topic in future framework updates. Cyber insurance is “an important aspect” in the framework's goal of helping entities recover from a cyberattack, R Street said. “NIST itself has recognized the role cyber insurance can play in helping businesses respond to and recover from a cyber incident. Including insurance in the framework will prompt all users to consider adopting it “as part of the enterprise risk management process,” which could help “raise the bar for device security, bolstering the global cybersecurity ecosystem.”