CRE/Cybersecurity Consortium Comments on NIST’s Cybersecurity Framework RFI
Editor’s Note: The comments on NIST’s Request for Information (RFI) on the Cybersecurity Framework prepared by the Center for Regulatory Effectiveness and Multinational Legal Services, PLLC on behalf of the Cybersecurity Consortium are attached here. Below is the Executive Summary.
Federal Determination of Industry Best Practices
Executive Summary
The Center for Regulatory Effectiveness’ (CRE’s) comments on the Cybersecurity Framework focus on a single crucial issue:
- Establishing a process for federal determination of what constitutes an Industry Best Practice.
Two components which need to be included in the Framework’s process for determining Industry Best Practices are:
1. Administrative Appeals Process. NIST needs to establish an administrative process which allows organizations, if needed, to seek and obtain correction of decisions on determining Industry Best Practices.
2. Conformity Self-Certification. The Framework needs to include a process by which each critical infrastructure company can determine how best to verify their conformity with Industry Best Practices in lieu of expensive and burdensome third-party certification.
Executive Order 13636 emphasized the importance of the Cybersecurity Framework incorporating industry best practices “to the fullest extent possible….” In order for the Administration’s aspirations for the use of Industry Best Practices to be realized, adherence to the following Five Principles which are based on the “Good Government” laws should guide NIST’s development of the determination process:
1. Diversity. The process should recognize the diversity of cybersecurity Best Practices;
2. Affordability. The process for individual companies for determining whether their use of a Best Practice is Framework-compliant should be minimally burdensome;
3. Reciprocity. Critical infrastructure cyber-defense measures undertaken at the behest of any federal, state or tribal agency or the European Union should be determined to be an Industry Best Practice for purposes of the Framework;
4. Clarity. The best practices determination process needs to clearly define the boundaries of an infrastructure company’s responsibilities regarding the facilities to which the best practices are applied; and
5. Recognition. The process should culminate, within a specified timeframe, in clear government-wide recognition of a company’s voluntary adoption of the Framework.
The complete CRE/Cybersecurity Consortium comments are available here.