A new draft report by an interagency working group lays out objectives and recommendations for enhancing the U.S. government's coordination and participation in the development and use of international standards for cybersecurity. The report recommends the government make greater effort to coordinate the participation of its employees in international cybersecurity standards development to promote the cybersecurity and resiliency of U.S. information and communications systems and supporting infrastructures. These efforts should include increased training, collaborating with private industry and working to minimize risks to privacy.
The Cybersecurity Enhancement Act of 2014 directed the National Institute of Standards and Technology (NIST) to work with relevant federal agencies to ensure interagency coordination in "the development of international technical standards related to information system security" and to "ensure consultation with appropriate private sector stakeholders." It also called for NIST to within one year submit a plan to Congress for ensuring that coordination. The International Cybersecurity Standards Working Group, led by the Department of Commerce and NIST, was set up by the National Security Council's Cyber Interagency Policy Committee to draft this report, which will also serve as the basis of the required report to Congress. Public comments on the draft report are due by September 24, 2015.
The draft report outlines four U.S. government strategic objectives for the development and use of international standards for cybersecurity:
The draft report then lays out eight recommendations for how the federal government can achieve those objectives, including by ensuring coordination across the government and collaboration with the private sector and internationally, and promoting federal agency participation in international standards development and federal use of international standards and assessment schemes.
The U.S. standards system differs significantly from the government-driven, centrally coordinated systems common in many other countries. Under the U.S. system, hundreds of standards development organizations (SDOs) provide the infrastructure for the preparation of standards documents. While these organizations are overwhelmingly private sector, government personnel participate in standards development activities along with representatives from industry, academia, and other organizations and consumers.
A supplement to the draft report provides a summary of ongoing activities in critical international cybersecurity standardization and an inventory of U.S. government and private-sector engagement. It also provides guidance for agencies to plan and coordinate more effective participation in these activities.
The working group's draft report supports the 2010 United States Standards Strategy, which was developed through a public-private partnership and outlines the contribution of private-sector led standards development to overall competition and innovation in the U.S. economy and the imperative of public and private-sector participation and collaboration.
The full Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity [NISTIR 8074 Volume 1 (Draft)] and supplement [NISTIR 8074 Volume 2 (Draft)] can be found on the NIST website.