• The National Institute for Standards and Technology (NIST) has issued a preliminary “critical infrastructure” cybersecurity standards framework (framework). This preliminary framework provides guidance to an organization on cybersecurity risk.
• Specifically, NIST seeks comments on the preliminary framework from
all sectors and industry types. The preliminary framework was developed in response to the White House Executive Order (EO) and Presidential Policy
Directive (PPD) on cybersecurity, and this latest version has incorporated feedback from an earlier request for information from February 2013. NIST plans
to finalize the framework by February 2014.
• The framework aims to provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls to help owners and operators of “critical infrastructure” and others to identify, assess, and manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
• Also, the framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations with managing cybersecurity risk.
• The framework provides a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement with risk management; 4) assess progress; and 5) foster communications among internal and external stakeholders. While the framework complements, it should not replace an organization’s existing business or cybersecurity risk management process and program.
• Further, the framework is a risk-based approach composed of three parts: framework core, framework profile, and framework implementation tiers.
• CUNA continues to monitor and advocate for credit unions on the “critical infrastructure” cybersecurity framework; we are interested in your feedback if
you have any concerns with potential effects on credit unions. Please see CUNA’s April 2013 comment letter to NIST for reference.
• Credit unions should continue to follow current data security and cybersecurity rules, such as rules from the National Credit Union Administration (NCUA) and Federal Financial Institution Examination Council (FFIEC), and the Gramm–Leach–Bliley Act.
• CUNA continues to work with regulators, the Financial Services Sector Coordinating Council (FSSCC), BITS, and others to emphasize that the cybersecurity framework should recognize existing, robust data security standards that are applicable to financial institutions, including credit unions. Credit unions and other financial institutions should not be subject to additional prescriptive requirements, as they are already subject to a risk-based approach to manage cyber threats.
• Comments for the preliminary framework are due to NIST by December 13, 2013; please submit your comments to CUNA by December 2, 2013. Please e-mail your comments to CUNA Assistant General Counsel for Regulatory
Research Dennis Tsang at firstname.lastname@example.org