Perspectives related to the 16 U.S. Critical Infrastructure sectors.
“…the NIST Cybersecurity Framework was instrumental in identifying best practices and voluntary measures that can help companies operationalize security risk management and security-by-design….The NIST Cybersecurity Framework is in many respects the seminal document on cybersecurity risk management.”
Loretta Polk, Vice President & Deputy General Counsel, and Rick Chessen, Senior Vice President Law & Regulatory Policy, NCTA – The Internet & Television Association (NCTA)
January 14, 2019 - Response to the Privacy Framework RFI
“There are many available standards our cybersecurity community may utilize to guide an agency in their quest for furthering its cybersecurity program. With NIST’s Cybersecurity Framework (CSF) designated as a tool federal agencies should use, our local community, across the Nation, was incentivized to also follow the Framework. The NIST CSF has served as a superb standard to enable all agencies to be on the same ‘measurement’ page. This allows agencies to be measured and evaluated equally. The adoption of the NIST CSF for MS-ISAC’s Nationwide Cybersecurity Review (NCSR) was a huge step in improving our state, local, tribal and territorial (SLTT) communities’ metric of year-to-year and peer-to-peer comparisons on a national scale. As CISO to both Napa and Mono Counties (California), I have greatly benefited by using NIST’s CSF in conjunction with MS-ISAC’s NCSR. The majority of California counties have also adopted NIST’s CSF as the appropriate tool for our statewide standard.”
Gary Coverdale, CISO, Napa and Mono Counties, CA
November 2018 - Framework Success Story
"We have worked with a variety of industries, primarily in the private sector, that have had a thirst to find some mechanism to improve how they identify and articulate risk.What the CSF does so well is create an ability to take very complex risk concepts and produce a simplified outcome that can be effectively communicated to a broad group of stakeholders. This provides a way to express to third parties -- that may have direct access to sensitive data as part of a service they offer -- how risk has been evaluated by their business partners. In turn, that creates a more healthy conversation between companies as to how best protect that data."
Troy Leach
CTO - PCI Council
"Cybersecurity: Develop modal cyber threat models for transportation critical infrastructure to enhance integrated cybersecurity and safety research priorities As components of transportation systems are increasingly connected with Internet of Things (IoT), cybersecurity risks that could impact safety, the economy, and emerging technology adoption are increasing. To reduce this risk, DOT will encourage the adoption of the National Institute of Standards and Technology Cybersecurity Framework by transportation ecosystem stakeholders. DOT will also develop strategies for the integration of cybersecurity risk management into safety management programs"
U.S. Department of Transportation Strategic Plan for FY 2018-2022
"We are working close[ly] with our government partners and believe robust public private partnerships are the most effective way to manage threats. We support the NIST cybersecurity framework and efforts to align cybersecurity policy with these guidelines."
Kenneth Benson, Jr., President and CEO, SIFMA
May 9, 2018 - SIFMA 2018 Operations Conference and Exhibition
“We appreciate the effort by NIST to continue supporting a broad, cross-sector Cybersecurity Framework to reduce cybersecurity risks to critical infrastructure. The ability to maintain flexibility, while sufficiently detailing program components to provide substantive guidance is essential to risk management. The voluntary, high-level nature of the Framework is directly related to its successful deployment by industry, which strengthens the trusted partnership between NIST and private industry. NIST continues to excel at soliciting input and feedback on updates and changes to the Framework, and the Energy Sector will continue to be an active participant….. AGA, EEI, and our members continue to support NIST’s efforts by raising awareness of the Framework through a variety of means, including outreach to our member committees and conferences focused on cybersecurity, through the Electricity Subsector Coordinating Council (“ESCC”) and the Oil and Natural Gas Subsector Coordinating Council (“ONG SCC”), and in cross-sector venues. Though our members have already employed various cybersecurity risk management activities, the Framework has facilitated more comprehensive and mature, enterprise- wide approaches to cybersecurity.”
Scott I. Aaronson, Vice President, Security & Preparedness, Edison Electric Institute
Jim Linn, Chief Information Officer, American Gas Association
January 19, 2018 – AGA-EEI RFC Response
“This high-level Framework provides the appropriate mix of flexibility and specific risk management program components, providing private industry with effective guidance for their individual programs. Further, the collaborative approach to developing and revising the framework has served to strengthen the valuable and trusted partnership between NIST and private industry. INGAA commends NIST for its approach to working with private industry and soliciting feedback on these updates.”
Rebecca Massello, Director of Security, Reliability and Resilience. Interstate Natural Gas Association of America (INGAA)
January 19, 2018 – INGAA RFC Response
“API member companies continue to support the Cybersecurity Framework (CSF), including V1.1, as the pre-eminent standard for companies’ cybersecurity programs and for policy making globally. We support the CSF because it is (a) comprehensive, (b) a risk management approach, (c) scalable to different types and sizes of companies, and (d) widely used across industry…. Overall, API continues to support the use of CSF and believes that NIST is a prime example of how government can work cooperatively with industry to manage risks, with the goal of providing reliable and affordable energy to the nation.”
Aaron Padilla, Senior Advisor, International Policy, American Petroleum Institute (API)
January 19, 2018 – API RFC Response
“NCTA appreciates NIST’s continued efforts to update and enhance the Cybersecurity Framework and we look forward to continuing to collaborate with NIST on refining and improving this important resource for managing cybersecurity risk.”
Rick Chessen, Senior Vice President, Law & Regulatory Policy and Loretta Polk, Vice President & Associate General Counsel, The Internet & Television Association (NCTA)
January 19, 2018 – NCTA RFC Response
“As the Framework approaches the end of its fourth year of implementation following the publication of Version 1.0 in February 2014, USTelecom and its U.S. and international members will endeavor to promote the use of Framework Version 1.1 and accelerate its implementation as an advanced risk management tool in order to build cybersecurity resiliency throughout the global internet and communications ecosystem. In 2014 and 2015, we helped lead the groundbreaking initiative under the fourth Communications Security, Reliability and Interoperability Council (“CSRIC”) to develop tailored Framework implementation plans for each of the five segments of communications sector (wireless, wireline, cable, satellite, and broadcast). This CSRIC initiative was, and remains, the most ambitious and in-depth Framework implementation effort in any segment of the economy.”
Robert Mayer, Senior Vice President – Cybersecurity, USTelecom
January 19, 2018 – USTelecom RFC Response
“AWWA has been actively promoting use of the Cybersecurity Framework (‘Framework’) since it was first issued in 2014. We were one of the first organizations to provide a voluntary, sector-specific approach for implementing the Framework based on a use-case approach that allows the users to prioritize the control measures applicable to a given function(s). We commend NIST for the collaborative process used to develop and refine the Framework with stakeholders …. AWWA, an awardee of the 2016 NIPP Resilience Challenge, has launch[ed] a national initiative to promote the use of the Framework in the water sector based the resources we have developed.”
G. Tracy Mehan, III, Executive Director – Government Affairs
January 19, 2018 – AWWA RFC Response
“ChemITC supports the framework and its continuing flexibility. The framework is complementary to the voluntary Security Code included into ACC’s Responsible Care® Program and other voluntary frameworks that have similar goals. ChemITC has actively promoted the joint industry-National Institute of Standards and Technology (NIST) cybersecurity framework (the framework) since it was released in 2014. The framework is backed by many industry sectors, and the proposed updates, especially provisions related to the supply chain and consideration of metrics, generally represent enhancements to the original framework…. Our experience indicates that the framework is extremely useful. ChemITC members are using the framework and urging business partners to do the same to better manage cybersecurity risks to their information networks and systems.”
Bill Gulledge Senior Director, Chemical Products & Technology Division Manager, ChemITC Program, American Chemistry Council’s (ACC)
April 10, 2017 – ACC RFC Response
“CHIME and AEHIS continue to be strong champions of the NIST CSF and believe it should be used by the entire healthcare sector.”
Russell Branzell, CEO & President, CHIME; Cletis Earle, Chair, CHIME Board of Trustees Vice President and CIO, Information Technology Kaleida Health; and Erik Decker, Chair, AEHIS Board, CISO and Chief Privacy Officer, University of Chicago Medicine
January 19, 2018 – CHIME & AEHIS RFC Response
“In the fall of 2016, the HIMSS North America Board of Directors approved the Cybersecurity Call to Action and since that time, HIMSS has been advocating for the adoption of holistic security measures. Accordingly, HIMSS supports NIST’s inclusion of holistic security principles throughout the Framework—including the alignment of cybersecurity risk management with the business context and resources that support critical functions. Our Call to Action also advocates for adoption and use of the Framework, as well as fostering the growth of the healthcare cybersecurity workforce.”
Denise W. Hines, CEO, eHealth Services Group, Chair, North America Board of Directors; Michael H. Zaroukian, Vice President & CMIO, Sparrow Health System Chair, HIMSS Board of Directors; Harold F. Wolf III, President & CEO, HIMSS
January 19, 2018 – HIMSS RFC Response
“We value NIST’s ability to identify cybersecurity trends and aggregate best practices, particularly at a time in which patients and physicians regularly interact with health information technology (health IT) both within and outside of physician practices. In particular, we support the Framework’s voluntary approach that offers flexibility and allows entities to customize how they adopt and implement a cybersecurity framework. This is critical in the health care space where a solo practitioner has very different resources than a large health system. We appreciate that NIST created and is working to improve a tool through which an organization can evaluate its security practices.”
James L. Madara, CEO, American Medical Association
April 5, 2017 – AMA RFC Response
“AdvaMed appreciates NIST’s efforts to improve cybersecurity risk management. Although the Framework is not directly applicable to the management of risks for medical devices, our members have found portions of the Framework helpful. Moreover, the U.S. Food and Drug Administration (“FDA”), whom we commend for its proactive leadership role over medical device cybersecurity, has utilized the Framework in its work to ensure that medical device cybersecurity is considered and addressed throughout all stages of product design and use.”
Zachary A. Rothstein, Esq., Associate Vice President Technology and Regulatory Affairs, AdvaMed
January 19, 2018 – AdvaMed RFC Response
“We believe there is wide support in industry for NIST to focus its efforts on establishing a uniform method of reporting while encouraging industries to tailor specific control frameworks and associated assurance programs to meet the needs of the industry.”
Dr. Bryan S. Cline, Vice President, Standards & Analysis, HITRUST
January 19, 2018 – HITRUST RFC Response
“AFPM members have been at the forefront of cybersecurity efforts, participating in a wide range of industry and government initiatives to enhance cybersecurity for critical infrastructure within the oil and natural gas, and chemical sectors. AFPM members utilize the Framework as a tool in their own facility cybersecurity risk assessments, using it as guidance to better measure their facilities’ cybersecurity risk management programs…. AFPM recognizes that cybersecurity is a dynamic threat that could have direct consequences for critical infrastructure sites. As such, we broadly support the proposed amendments to the Framework and urge NIST to retain the voluntary nature of its Framework to enable more successful and efficient critical infrastructure cybersecurity programs.”
Daniel J. Strachan, Director, Industrial Relations and Programs, The American Fuel & Petrochemical Manufacturers
January 19, 2018 – AFPM RFC Response
"The Council also encourages the financial regulators to remain actively engaged with NIST as various NIST publications are updated, including the Framework. As cybersecurity supervision evolves, the Council recommends that financial regulators establish a harmonized risk-based approach utilizing the Framework and common lexicon, which can be leveraged to assess cybersecurity and resilience at the firms they regulate. In addition, financial regulators should harmonize the development of any specific cybersecurity rules and guidance domestically, as appropriate. Such efforts will further reinforce efforts by diverse stakeholders to promote baseline protections across the sector.”
Financial Stability Oversight Committee (FSOC) – 2017 Annual Report (pp. 8-9)
"Collaboration among many stakeholders on cybersecurity is critical to progress. The Federal Reserve has been working with, and will continue to work with, other financial regulatory agencies on harmonizing cyber risk-management standards and regulatory expectations across the financial services sector.
Specifically, we are focused on aligning our expectations with existing best practices, such as the National Institute of Standards and Technology's Cybersecurity Framework, and identifying opportunities to further coordinate cyber risk supervisory activities for firms subject to the authority of multiple regulators. We support industry efforts to improve harmonization across the sector, which are complementary to achieving our regulatory safety and soundness goals."
Federal Reserve Vice Chairman for Supervision Randal K. Quarles
The Financial Services Roundtable - 2018 Spring Conference
Brief Thoughts on the Financial Regulatory System and Cybersecurity
"...a comprehensive program entails adopting a risk management framework, such as the NIST Cybersecurity Framework, implementing a rigorous process, and adhering to a continuous process improvement mindset. Because the cybersecurity landscape continues to change and evolve, a “once-and-done” process, or a simple compliance checklist, is not sufficient to protect an organization."
Fernando Martinez, senior vice president and chief digital officer of the Texas Hospital Association and president and CEO of the Texas Hospital Association Foundation, and Bob Chaput, founder and CEO of Clearwater Compliance.
April 13, 2018 - 3 Things That Healthcare Must Understand About Cybersecurity
Resources related to this user group.