One and Done? Not for NIST and the Cyber Framework.

Apr 16, 2018 - 4:30pm

Vice President, Cybersecurity Policy

The National Institute of Standards and Technology (NIST) did it again. The agency today released Cybersecurity Framework Version 1.1, an update to the original 2014 Framework, which has proven to be widely popular in the business community. The U.S. Chamber of Commerce appreciates the considerable effort that NIST and industry actors committed to revising this key tool. There are a number of reasons why the public and private sectors should champion the Framework. Here are a few:

First, business leaders and policymakers view the Framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad. NIST officials continue to do an admirable job convening many organizations to make the Framework a practical, living document.

Companies are enthusiastic about the Framework, in part, because it is neither biased toward any country’s laws nor bound by outdated and inflexible rules and procedures. The U.S. Chamber wants U.S. and foreign governments’ cyber policies to be aligned with the dynamic approach to security that underpins the Framework and similar voluntary architectures.

Second, among the enhancements to the Framework, Version 1.1 emphasizes that organizations can self-assess their cyber risks, along with the costs and benefits of their information security strategies “internally or by seeking a third-party assessment” [italics added].

This tweak, while seemingly subtle, is significant. It should instruct third parties, whether public or private, that they cannot have access to risk data that a company generates when using the Framework without prior authorization by the business. In addition, there is seemingly no such thing as “complying with the Framework,” which this excerpt from the document explains:

[T]here are a wide variety of ways to use the Framework. The decision about how to apply it is left to the implementing organization. . . . There sometimes is discussion about ‘compliance’ with the Framework, and the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. Nevertheless, the variety of ways in which the Framework can be used by an organization means that phrases like ‘compliance with the Framework’ can be confusing and mean something very different to various stakeholders (pg. vi).

Third, while the Framework was developed to improve the cybersecurity of critical infrastructure, it can be used by organizations in any sector or community. Over the last several years, the U.S. Chamber has partnered with state and local chambers, industry groups, and universities to promote, what I like to dub, cyber fitness—that is, cyber fitness for the health and survival of businesses, their commercial partners, and the broader economy.

What’s positive, many corporate leaders understand the importance of cybersecurity to their companies’ well-being. A recent PwC survey ranked the four highest concerns for U.S. CEOs in 2018. Cyber threats ranked No. 1 at 63%, up from 50% in 2017. Cyber topped overregulation (55%), terrorism (50%), and geopolitical uncertainty (50%).

The U.S. Chamber wants companies to invest heavily in sound cybersecurity practices, particularly having a plan and exercising it regularly. The Framework enables organizations—regardless of their size, risk profile, or cyber sophistication—to develop a plan from scratch or improve an existing one. Quality cyber practices don’t simply drain businesses’ resources, they add to it. Good cybersecurity contributes to a company’s bottom line, reputation, and competitiveness.

More Articles On: 

About the Author

About the Author

Matthew Eggers
Vice President, Cybersecurity Policy

​Matthew J. Eggers is vice president of cybersecurity policy in the Cyber, Intelligence, and Security division at the U.S. Chamber of Commerce.