The Internet Security Alliance (ISA), a multi-sector trade association representing the interests of some of the biggest companies in the nation, has outlined details in a proposal for a new phase for the Federal Cyber Security Framework ahead of the fifth and final NIST workshop on drafting the standard.
ISA president Larry Clinton, while speaking on a panel with Chair of the president’s Integrated Task Force, proposed a “beta test” period for the NIST framework rather than moving immediately to full implementation in February.
“We have already seen the results of not doing enough testing before launching a major program with Healthcare.com,” Clinton said. Similarly the cyber security framework needs to be tested just as the private sector would do with any major product or service before it was rolled out.”
Clinton also indicated that the ISA had received support from both industry and government officials with respect to a beta test phase of the Framework, further proposing that DHS should work with the sector Coordinating Councils and government GCCS to develop sector-specific tests of the Framework’s costs and overall effectiveness.
“The tests should be independent from NIST and focus on a stratified sample of target critical infrastructure companies who are most closely representative of the organizations NIST is targeting with their framework,” Clinton said. “DHS should assist with the implementation of the framework and track the issues that come up including cost, time, effort the effectiveness of available incentives and improvements in actual security.”
ISA Contrasted their proposal with that currently being promoted by NIST to find early adopters of the NIST and use voluntary self-reports to form future policy.
“Obviously the firms who are going to volunteer as early adopters are those for whom adoption is easy, probably they are already doing what is required in the NIST framework,”Clinton said. “In all likelihood such firms have economies of scope and scale that are not typical of the companies who are not currently practicing adequate cyber security, it’s these later companies that we need to work with and analyze.”
Clinton argued that a beta test phase would provide data that would be of substantial use in promoting the long-term adoption of the cyber security framework.
“If we can actually analyze target firms implementation of the framework we can comply with the president’s order to determine what aspects of the framework are in fact cost effective,” Clinton said.
“That means we will also learn how useful the incentives DHS can offer will be in overcoming cost inefficiencies in the framework and point the Congress as to exactly what they need to do to encourage greater adoption in the interests of security.”