USACM Encourages Flexibility In Proposed Cybersecurity Framework

By David Bruggeman
April 28, 2013

As part of the President’s Executive Order on Cybersecurity, the National Institute of Standards and Technology (NIST) is required to develop a Cybersecurity Framework (Framework). This Framework, per Section 7 of the Executive Order, would “include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

As part of its development process, NIST issued a Request for Information (RFI) related to the Cybersecurity Framework, and USACM submitted comments in response. This RFI is the first part of what will be a very public review and comment process. NIST will host a series of workshops this summer, beginning in late May at Carnegie Mellon University.

In its comments, USACM focused on two points: effective privacy controls and the fluidity of cybersecurity.

Applying the Fair Information Practice Principles through the Framework helps protect privacy, and supports the reliability and security of systems. Coupled with effective access controls and data minimization, such practices can help preserve legal limits on the access to the information that could be shared under the Executive Order. There can be adverse consequences to erring on the side of more information disclosure. Making sure only relevant cybersecurity threat information is shared, and only for cybersecurity purposes, can make data management easier and reduce the risk of unintended and/or inappropriate information disclosure.

While having a single Framework to serve as a source of guidance for cybersecurity has its benefits, there is a risk of becoming too static in preparing for threats. New challenges to cybersecurity systems can arise quickly, and different kinds of systems have different challenges to respond to. The Framework will be more effective if the standards it includes are either sector-specific, or sufficiently narrow that it will be possible to demonstrate that the standard improves security for the affected system.

These arguments, along with responses to some of the specific questions in the RFI, are detailed in USACM’s comments. Besides the workshops, there will be additional opportunities for input into the Framework, which should be released in draft form late this year.