The Internet Security Alliance Monday encouraged the Department of Commerce to work with private sector organizations to determine what’s needed in terms of cost-effectiveness, incentives and prioritization to stimulate use of the NIST Framework.
Developed in response to a 2013 Executive Order from President Obama, the NIST Framework for Improving Critical Infrastructure Cybersecurity was released in February 2014.Yet 15 months after the unveiling, ISA President Larry Clinton said in a Tuesday email correspondence with SCMagazine.com that “there has been no systematic work to provide the supports for Framework use that were also called for in the President’s Order.”
Without those supports, he noted, “it is unlikely that there will be substantial and sustained improvements in cyber security based on the Framework.”
Clinton added that, other than anecdotal self-reports, which he called “notoriously unreliable,” there is “no hard evidence that there have been any tangible improvements in security or what aspects of the Framework may have created any improvements.”
The ISA’s call to action came as a filing in response to a Request for Information (RFI) from the Commerce Department’s National Telecommunications and Infrastructure Agency (NTIA) asking what type of multi-stakeholder process was needed to move cyber security forward. Clinton, in a release, advocated “a systematic data driven analysis of our assumptions about the cost, benefits and incentives for cyber security” and noted that “NTIA has a golden opportunity to meet this need and we urge them to seize that opportunity.”
He recommended Commerce adopt a similar model created by the Department of Homeland Security for its STYX and TAXII information-sharing programs. “Both STYX and TAXII were pilot tested carefully by DHS before we went to broad implementation,” he said. “Our proposal lays out a similar model for Commerce so that we can make critical national cyber security decisions based on data, not assumptions.”
Clinton contended that “ISA’s proposal would leverage the Framework with the existing partnership structure established in the National Infrastructure Protection Plan to generate some real data upon which policy that truly effects security can be based.”