The FISMA Focus IPD

This is the fourth in a series of posts about specific proposals in the recent US cybersecurity report. In this post, we discuss Action Item 1.4.4 — standardized cybersecurity conformity assessments.

Action Item 1.4.4 recommends, “[t]he private sector should develop conformity assessment programs that are effective and efficient, and that support the international trade and business activities of U.S. companies.” These “conformity assessments” would signal to third parties that a business had “exercis[ed] diligence with regard to cybersecurity.” The Commission’s report recognizes that “[c]onformity assessments conducted by private-sector organizations can increase productivity and efficiency in government and industry, expand opportunities for international trade, conserve resources, improve health and safety, and protect the environment.” Identifying the 2014 NIST Cybersecurity Framework as “a good basis for conformity assessment,” the report suggests that “conformity assessment[s] . . . could, in part, meet the needs of” private organizations “in demonstrating their effective use of the [NIST] Cybersecurity Framework.”