ACA: Government Cybersecurity Framework Needs Work

Says metrics approach is contradictory and a nonstarter
Author:
Publish date:
Social count:
0
Security.jpg

Small and medium-sized cable operators are calling on the National Institute of Standards and Technology (NIST) not to rush into an update of the cybersecurity framework, a draft of which it has sought comment on.

In comments to the institute, the American Cable Association applauded NIST's willingness to work with industry on the critical infrastructure cybersecurity effort but said some of its proposed updates are unclear, contradictory, and could lead to a "a one-size-fits-all approach."

In particular, said ACA president Matt Polka, "the discussion on Measuring and Describing Cybersecurity, suffers from serious flaws and should be rejected in favor of continued study and evaluation."

The metrics section, says ACA in its comments, could end up relying on a "checklist assessment created by third party consultants or auditors," instead of using an "inward-looking, individualized approach to cybersecurity risk management that the Framework otherwise encourages."

On the lack of clarity front, ACA says that the discussion of metrics for cybersecurity fails to provide a baseline understanding of what should be measured and how. ACA says the draft suggests that qualitative metrics can be used to quantify causes and effects, which ACA calls inherently contradictory.

Any update needs to emphasize that the effort is voluntary, risk-based and flexible.

ACA suggested that a one size fits all approach to supply chain and buying decisions does not sufficiently account for the fact that smaller operators don't have negotiating leverage to influence vendor cybersecurity practices.

In a February 2012 executive order, President Obama charged NIST with creating that voluntary, risk-based cybersecurity framework of industry standards and best practices, which it did the next year. It is in the process of updating that framework, which NIST insists in the draft summary is not a one-size-fits-all approach and says it recognizes that some organizations have "unique" risks.

The original NIST 1.0 framework took a "stop, drop and roll" take on threat response: "Identify, Protect, Detect, Respond, Recover."

ACA suggests NIST needs to stop, rethink, and then roll out the next iteration.

Related