Perspectives related to the 16 U.S. Critical Infrastructure sectors.
"We are working close[ly] with our government partners and believe robust public private partnerships are the most effective way to manage threats. We support the NIST cybersecurity framework and efforts to align cybersecurity policy with these guidelines."
Kenneth Benson, Jr., President and CEO, SIFMA
May 9, 2018 - SIFMA 2018 Operations Conference and Exhibition
“We appreciate the effort by NIST to continue supporting a broad, cross-sector Cybersecurity Framework to reduce cybersecurity risks to critical infrastructure. The ability to maintain flexibility, while sufficiently detailing program components to provide substantive guidance is essential to risk management. The voluntary, high-level nature of the Framework is directly related to its successful deployment by industry, which strengthens the trusted partnership between NIST and private industry. NIST continues to excel at soliciting input and feedback on updates and changes to the Framework, and the Energy Sector will continue to be an active participant….. AGA, EEI, and our members continue to support NIST’s efforts by raising awareness of the Framework through a variety of means, including outreach to our member committees and conferences focused on cybersecurity, through the Electricity Subsector Coordinating Council (“ESCC”) and the Oil and Natural Gas Subsector Coordinating Council (“ONG SCC”), and in cross-sector venues. Though our members have already employed various cybersecurity risk management activities, the Framework has facilitated more comprehensive and mature, enterprise- wide approaches to cybersecurity.”
Scott I. Aaronson, Vice President, Security & Preparedness, Edison Electric Institute
Jim Linn, Chief Information Officer, American Gas Association
January 19, 2018 – AGA-EEI RFC Response
“This high-level Framework provides the appropriate mix of flexibility and specific risk management program components, providing private industry with effective guidance for their individual programs. Further, the collaborative approach to developing and revising the framework has served to strengthen the valuable and trusted partnership between NIST and private industry. INGAA commends NIST for its approach to working with private industry and soliciting feedback on these updates.”
Rebecca Massello, Director of Security, Reliability and Resilience. Interstate Natural Gas Association of America (INGAA)
January 19, 2018 – INGAA RFC Response
“API member companies continue to support the Cybersecurity Framework (CSF), including V1.1, as the pre-eminent standard for companies’ cybersecurity programs and for policy making globally. We support the CSF because it is (a) comprehensive, (b) a risk management approach, (c) scalable to different types and sizes of companies, and (d) widely used across industry…. Overall, API continues to support the use of CSF and believes that NIST is a prime example of how government can work cooperatively with industry to manage risks, with the goal of providing reliable and affordable energy to the nation.”
Aaron Padilla, Senior Advisor, International Policy, American Petroleum Institute (API)
January 19, 2018 – API RFC Response
“NCTA appreciates NIST’s continued efforts to update and enhance the Cybersecurity Framework and we look forward to continuing to collaborate with NIST on refining and improving this important resource for managing cybersecurity risk.”
Rick Chessen, Senior Vice President, Law & Regulatory Policy and Loretta Polk, Vice President & Associate General Counsel, The Internet & Television Association (NCTA)
January 19, 2018 – NCTA RFC Response
“As the Framework approaches the end of its fourth year of implementation following the publication of Version 1.0 in February 2014, USTelecom and its U.S. and international members will endeavor to promote the use of Framework Version 1.1 and accelerate its implementation as an advanced risk management tool in order to build cybersecurity resiliency throughout the global internet and communications ecosystem. In 2014 and 2015, we helped lead the groundbreaking initiative under the fourth Communications Security, Reliability and Interoperability Council (“CSRIC”) to develop tailored Framework implementation plans for each of the five segments of communications sector (wireless, wireline, cable, satellite, and broadcast). This CSRIC initiative was, and remains, the most ambitious and in-depth Framework implementation effort in any segment of the economy.”
“AWWA has been actively promoting use of the Cybersecurity Framework (‘Framework’) since it was first issued in 2014. We were one of the first organizations to provide a voluntary, sector-specific approach for implementing the Framework based on a use-case approach that allows the users to prioritize the control measures applicable to a given function(s). We commend NIST for the collaborative process used to develop and refine the Framework with stakeholders …. AWWA, an awardee of the 2016 NIPP Resilience Challenge, has launch[ed] a national initiative to promote the use of the Framework in the water sector based the resources we have developed.”
G. Tracy Mehan, III, Executive Director – Government Affairs
January 19, 2018 – AWWA RFC Response
“ChemITC supports the framework and its continuing flexibility. The framework is complementary to the voluntary Security Code included into ACC’s Responsible Care® Program and other voluntary frameworks that have similar goals. ChemITC has actively promoted the joint industry-National Institute of Standards and Technology (NIST) cybersecurity framework (the framework) since it was released in 2014. The framework is backed by many industry sectors, and the proposed updates, especially provisions related to the supply chain and consideration of metrics, generally represent enhancements to the original framework…. Our experience indicates that the framework is extremely useful. ChemITC members are using the framework and urging business partners to do the same to better manage cybersecurity risks to their information networks and systems.”
Bill Gulledge Senior Director, Chemical Products & Technology Division Manager, ChemITC Program, American Chemistry Council’s (ACC)
April 10, 2017 – ACC RFC Response
“CHIME and AEHIS continue to be strong champions of the NIST CSF and believe it should be used by the entire healthcare sector.”
Russell Branzell, CEO & President, CHIME; Cletis Earle, Chair, CHIME Board of Trustees Vice President and CIO, Information Technology Kaleida Health; and Erik Decker, Chair, AEHIS Board, CISO and Chief Privacy Officer, University of Chicago Medicine
January 19, 2018 – CHIME & AEHIS RFC Response
“In the fall of 2016, the HIMSS North America Board of Directors approved the Cybersecurity Call to Action and since that time, HIMSS has been advocating for the adoption of holistic security measures. Accordingly, HIMSS supports NIST’s inclusion of holistic security principles throughout the Framework—including the alignment of cybersecurity risk management with the business context and resources that support critical functions. Our Call to Action also advocates for adoption and use of the Framework, as well as fostering the growth of the healthcare cybersecurity workforce.”
Denise W. Hines, CEO, eHealth Services Group, Chair, North America Board of Directors; Michael H. Zaroukian, Vice President & CMIO, Sparrow Health System Chair, HIMSS Board of Directors; Harold F. Wolf III, President & CEO, HIMSS
January 19, 2018 – HIMSS RFC Response
“We value NIST’s ability to identify cybersecurity trends and aggregate best practices, particularly at a time in which patients and physicians regularly interact with health information technology (health IT) both within and outside of physician practices. In particular, we support the Framework’s voluntary approach that offers flexibility and allows entities to customize how they adopt and implement a cybersecurity framework. This is critical in the health care space where a solo practitioner has very different resources than a large health system. We appreciate that NIST created and is working to improve a tool through which an organization can evaluate its security practices.”
“AdvaMed appreciates NIST’s efforts to improve cybersecurity risk management. Although the Framework is not directly applicable to the management of risks for medical devices, our members have found portions of the Framework helpful. Moreover, the U.S. Food and Drug Administration (“FDA”), whom we commend for its proactive leadership role over medical device cybersecurity, has utilized the Framework in its work to ensure that medical device cybersecurity is considered and addressed throughout all stages of product design and use.”
“We believe there is wide support in industry for NIST to focus its efforts on establishing a uniform method of reporting while encouraging industries to tailor specific control frameworks and associated assurance programs to meet the needs of the industry.”
“Motorola Solutions commends the National Institute of Standards and Technology’s (NIST) continued commitment to the Cybersecurity Framework (CSF).”
“AFPM members have been at the forefront of cybersecurity efforts, participating in a wide range of industry and government initiatives to enhance cybersecurity for critical infrastructure within the oil and natural gas, and chemical sectors. AFPM members utilize the Framework as a tool in their own facility cybersecurity risk assessments, using it as guidance to better measure their facilities’ cybersecurity risk management programs…. AFPM recognizes that cybersecurity is a dynamic threat that could have direct consequences for critical infrastructure sites. As such, we broadly support the proposed amendments to the Framework and urge NIST to retain the voluntary nature of its Framework to enable more successful and efficient critical infrastructure cybersecurity programs.”
“The transportation sector has conducted a joint government-industry initiative to offer guidance to businesses on using the framework as a risk management tool. The Transportation Systems Sector Cybersecurity Working Group (TSSCWG)—made up of officials with the Transportation Security Administration (TSA), the Department of Transportation (DOT), the Coast Guard, and of representatives for each of the transportation modes—provided the forum for this cooperative effort. The working group’s guidance has contributed substantially to common understandings of the framework and to a broader use of the framework by entities in each mode of the transportation sector. The TSSCWG produced flexible guidance to facilitate businesses’ use of the framework in ways adaptable to the varying sizes, resource bases, and risk profiles of organizations across the transportation sector. A key element of this approach is the development of cyber threat intelligence priorities, which are submitted to DHS and reflect the needs of TSSCWG members. By pooling public-private intelligence requirements together, the goal is to produce an up-to-date cyber threat picture, which should better instruct organizations’ use of the framework in mitigating cyber risks….”
"The Council also encourages the financial regulators to remain actively engaged with NIST as various NIST publications are updated, including the Framework. As cybersecurity supervision evolves, the Council recommends that financial regulators establish a harmonized risk-based approach utilizing the Framework and common lexicon, which can be leveraged to assess cybersecurity and resilience at the firms they regulate. In addition, financial regulators should harmonize the development of any specific cybersecurity rules and guidance domestically, as appropriate. Such efforts will further reinforce efforts by diverse stakeholders to promote baseline protections across the sector.”
Financial Stability Oversight Committee (FSOC) – 2017 Annual Report
"Collaboration among many stakeholders on cybersecurity is critical to progress. The Federal Reserve has been working with, and will continue to work with, other financial regulatory agencies on harmonizing cyber risk-management standards and regulatory expectations across the financial services sector.
Specifically, we are focused on aligning our expectations with existing best practices, such as the National Institute of Standards and Technology's Cybersecurity Framework, and identifying opportunities to further coordinate cyber risk supervisory activities for firms subject to the authority of multiple regulators. We support industry efforts to improve harmonization across the sector, which are complementary to achieving our regulatory safety and soundness goals."
Federal Reserve Vice Chairman for Supervision Randal K. Quarles
The Financial Services Roundtable - 2018 Spring Conference
Brief Thoughts on the Financial Regulatory System and Cybersecurity
"...a comprehensive program entails adopting a risk management framework, such as the NIST Cybersecurity Framework, implementing a rigorous process, and adhering to a continuous process improvement mindset. Because the cybersecurity landscape continues to change and evolve, a “once-and-done” process, or a simple compliance checklist, is not sufficient to protect an organization."
Fernando Martinez, senior vice president and chief digital officer of the Texas Hospital Association and president and CEO of the Texas Hospital Association Foundation, and Bob Chaput, founder and CEO of Clearwater Compliance.
April 13, 2018 - 3 Things That Healthcare Must Understand About Cybersecurity
Resources related to this user group.