ACA Warns NIST on Confusing Language in Draft Cybersecurity Framework Update
The American Cable Association urged the National Institute of Standards and Technology to clarify its approach to developing metrics as part of the agency’s work to update the 2014 Cybersecurity Framework, in comments released Tuesday. NIST collected feedback through Monday…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
on its draft v1.1 framework update, which included metrics language aimed at starting a conversation on how to effectively measure use of the framework (see 1701100084). Other commenters urged NIST to be cautious about metrics development and urged inclusion of language in the framework on vulnerability disclosure guidelines and cybersecurity insurance (see 1704110045). The metrics language in NIST’s draft v1.1 “is confusing, and in some respects contradictory,” ACA said. “It is not nearly ready for adoption,” in part because ACA said it “fails to convey clear, definitional guidance, and this lack of clarity is likely to frustrate small operators and may lead some to give up on the Framework altogether. Moreover, based on the proposed changes, those that do attempt to implement the entire Framework, including its recommendations on measurement, may end up relying overmuch on a one-size-fits all checklist assessment created by third party consultants or auditors, rather than making the type of inward-looking, individualized approach to cybersecurity risk management that the Framework otherwise encourages.” NIST should instead “continue to work with the private sector to develop a clearer and more useful approach,” ACA said.