FISMA standards, as discussed on this Interactive Public Docket (IPD), apply to IT systems owned by the federal government. Legislation under consideration, however, would give the U. S. Government the authority to mandate cybersecurity standards on the private sector.
For this reason actions taken during the FISMA standard process, the subject of this IPD, are of particular interest to the private sector.
The Department of Commerce, acting through its National Telecommunications and Information Administration (NTIA), addressed the topic of cybersecurity in the private sector in a Notice of Inquiry (NOI) published in the Federal Register on July 28, 2010. See the attachment hereto.
The Department of Commerce raised a number of questions, including: the cost of implementing cybesecurity measures, public awareness of the issue, web site security, ID authentication, global engagement and product assurance.
A number of firms responded to the NOI.
Microsoft
Microsoft prepared one of the most comprehensive responses attached herewith.
Cost
Microsoft does not offer much hope in calculating the costs to be incurred when they state:
“Building the nation’s cyber economic model is not about determining money spent on security and adding up costs related to losses or disruptions are far from trivial. At a medium or large enterprise level cost assessments are very complicated. Attempts to compare or normalize costs between different enterprises are difficult” p. 2.
Without any estimate of costs, how can the federal government judge the merits of a particular program, particularly in this period of an emphasis on deficit reduction.
Website Security
Microsoft states:
“The NOI proposes that web site and component security be improved through third party verification. Microsoft does not believe that third-party verification of web site and component security is, unto itself, effective in reducing malware and eliminating web-based threats.”
Federal vs. Private Sector Standards
“In summary, Microsoft encourages the Department of Commerce to move rapidly but thoughtfully. The government should not set up programs that are independent or which compete with industry or the standards organizations that exist today.” p. 15.
CTIA—The Wireless Association
CTIA the Wireless Association provided in-depth comments, a copy attached herewith.
Federal vs. Private Sector Standards
“The NOI asks whether existing incentives are adequate to address the current cyber security risk environment and what initiatives are already under way that have successfully created incentives to make security investments.3 Robust competition within the wireless industry has created a market imperative to remain constantly vigilant in providing the most effective and innovative cyber security to wireless consumers.”
“The NOI inquires as to whether government-endorsed minimum performance standards for cyber security are necessary.The greatest challenge in cyber security is that the threats often change more quickly than the techniques used to combat them..” p. 4
Our readers are encouraged to submit comments either in the comments section below or in the separate posting section to the right of this post.
Of particular concern, it appears that virtually none of the comments have stressed the importance of having a continuous monitoring system to ensure that the investment in cybersecurity operations is in fact working.
Microsoft_Cybersecurity-NOI-Comments_9-20-10
Leave a Reply