The National Institute of Standards and Technology isn't scheduled to release its cybersecurity framework until Feb. 12, but that hasn't stopped computer companies from advising the Department of Homeland Security what it can do with that framework, which is apply it in a multi-year, joint effort with stakeholders that is not too focused on metrics of success or failure.
President Barack Obama mandated the framework, which was created with input from commercial stakeholders and DHS. DHS was put in charge of implementing it, as part of an executive order to light a fire under the issue of protecting information online following the failure of legislative efforts to come up with a plan.
The Information Technology Industry Council (ITIC), whose members include Dell, Microsoft, Apple, Google and eBay, issued its own recommendations Tuesday.
It's four-point plan for implementing the voluntary cybersecurity standards program includes:
1. Putting a priority on outreach and awareness of the framework so companies know it is voluntary and what resources are available to help them with cybersecurity risk management. That outreach should also be tailored to different target audiences, i.e. CEO's vs. chief security officers vs. technical staff.
2. DHS should not try to quantify cyber incidents or count the number of entities adopting the framework as a measure of its success. The framework will be a multi-year effort, ITIC says, and "'success' markers for the Program should be appropriate, realistic, and will by necessity change over time."
3. The government should not focus too much on incentives for participation and the other side of that coin, which could potentially be compliance-based programs that undermine the "voluntary" in voluntary standards. That doesn't mean incentives don't warrant consideration, they say, just not immediate incentives tied to the program's "success" or "failure."
4. All stakeholders must have a seat at the table for this multi-year process and DHS should involve a greater and more diverse group of stakeholders, taking a page from NIST's efforts to maximize participation in creating the framework, including "extensive public comment procedures, wide circulation of preliminary outlines and papers, meetings, and open workshops."