NIST Preliminary Critical Infrastructure Cybersecurity Framework

Executive Summary

 
• The National Institute for Standards and Technology (NIST) has issued a preliminary “critical infrastructure” cybersecurity standards framework (framework). This preliminary framework provides guidance to an organization on cybersecurity risk.

• Specifically, NIST seeks comments on the preliminary framework from all sectors and industry types. The preliminary framework was developed in response to the White House Executive Order (EO) and Presidential Policy Directive (PPD) on cybersecurity, and this latest version has incorporated feedback from an earlier request for information from February 2013. NIST plans to finalize the framework by February 2014.

• The framework aims to provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls to help owners and operators of “critical infrastructure” and others to identify, assess, and manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

• Also, the framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations with managing cybersecurity risk.

• The framework provides a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement with risk management; 4) assess progress; and 5) foster communications among internal and external stakeholders. While the framework complements, it should not replace an organization’s existing business or cybersecurity risk management process and program.

• Further, the framework is a risk-based approach composed of three parts: framework core, framework profile, and framework implementation tiers.

• CUNA continues to monitor and advocate for credit unions on the “critical infrastructure” cybersecurity framework; we are interested in your feedback if you have any concerns with potential effects on credit unions. Please see CUNA’s April 2013 comment letter to NIST for reference.

• Credit unions should continue to follow current data security and cybersecurity rules, such as rules from the National Credit Union Administration (NCUA) and Federal Financial Institution Examination Council (FFIEC), and the Gramm–Leach–Bliley Act.

• CUNA continues to work with regulators, the Financial Services Sector Coordinating Council (FSSCC), BITS, and others to emphasize that the cybersecurity framework should recognize existing, robust data security standards that are applicable to financial institutions, including credit unions. Credit unions and other financial institutions should not be subject to additional prescriptive requirements, as they are already subject to a risk-based approach to manage cyber threats.

• Comments for the preliminary framework are due to NIST by December 13, 2013; please submit your comments to CUNA by December 2, 2013. Please e-mail your comments to CUNA Assistant General Counsel for Regulatory Research Dennis Tsang at dtsang@cuna.com

• For further details, please refer to the NIST preliminary framework and Federal Register notice, and CUNA’s previous comment call for background.
Selected Questions to Consider Regarding the NIST Preliminary Framework

For the full list of 11 specific questions from NIST, please refer to the NIST preliminary framework.

1. Does your credit union believe the NIST preliminary cybersecurity framework adequately defines outcomes that strengthen cybersecurity and support business objectives?
2. Also, does the preliminary framework enable cost-effective implementation?
3. Will the NIST preliminary framework be inclusive of, and not disruptive to, effective cybersecurity practices in use today, including widely-used voluntary consensus standards that are not yet final?
4. Does your credit union believe the preliminary framework enables you to incorporate threat information?
5. Regarding privacy and civil liberties, do you have any comments on how the NIST preliminary framework, including Appendix B, affects these rights?
6. Finally, does your credit union have any general comments or suggestions on the NIST framework?
7. (Optional) What is your credit union's asset size?
8. (Optional) Please provide information about yourself and your credit union.
Thank you for your input and time - CUNA Regulatory Advocacy Team