Proposed Updates To The Cybersecurity Framework Don’t Live Up To High Standard Set By Framework 1.0
PITTSBURGH, April 12, 2017 – The American Cable Association (ACA) filed comments Monday urging the National Institute of Standards and Technology’s (NIST) to take additional time to develop the right approach to cybersecurity metrics, as the proposed updates to the Cybersecurity Framework 1.1 lack clarity, are in some respects contradictory, and may inadvertently encourage a one-size-fits-all approach to measuring cybersecurity risk management.
“ACA applauds NIST’s continuing work to refine and improve the ‘Framework for Improving Critical Infrastructure Cybersecurity’ and appreciates NIST’s efforts to collaborate with industry to ensure that any changes to the Framework retain the core principles that made the Framework so useful in the first place, particularly for small entities. Unfortunately, some of the proposed changes, particularly the discussion on Measuring and Describing Cybersecurity, suffer from serious flaws and should be rejected in favor of continued study and evaluation in collaboration with industry,” ACA President and CEO Matthew M. Polka said.
At the outset, ACA said NIST should adhere to the principles that made the Framework so useful in the first place, especially for small businesses. Specifically, any updates must reinforce that the Framework is intended to be voluntary, risk-based, and flexible enough to meet the needs of a wide variety of organizations across a breadth of industries. Unfortunately, the proposed updates lack sufficient definitional guidance as to what entities using the Framework should be measuring, or how it should be measured. The updates also are unclear as to whether metrics should be qualitative or quantitative, and some of the language used in the Framework may lead some entities to become overly reliant on a one-size-fits-all approach to measuring cybersecurity, which would be problematic for smaller entities. ACA encouraged NIST to work with industry to examine the issue of metrics more closely, rather than rush to adopt the inadequate approach described in the proposed updates.
ACA’s comments also discussed the Framework’s proposed updates related to Supply Chain Risk Management (SCRM) and buying decisions. ACA pointed out that the proposed updates do not adequately address the impact of market forces on an entity’s ability to implement such activities, as small organizations typically lack the negotiating leverage to influence their vendors’ cybersecurity practices. As it further refines Framework 1.1, NIST should consider in more depth how such small organizations might use the Framework to manage supply chain risks.
About the American Cable Association: Based in Pittsburgh, the American Cable Association is a trade organization representing nearly 750 smaller and medium-sized, independent cable companies who provide broadband services for nearly 7 million cable subscribers primarily located in rural and smaller suburban markets across America. Through active participation in the regulatory and legislative process in Washington, D.C., ACA’s members work together to advance the interests of their customers and ensure the future competitiveness and viability of their business. For more information, visithttps://acaconnects.org/