Nearly two years since National Institute of Standards and Technology Information Technology Policy Adviser Adam Sedgewick explained to Congress how the private sector would use the agency’s cybersecurity framework, he is amazed to hear CEOs refer to it as the “Rosetta Stone of cybersecurity.”
Now, Sedgewick’s plan is to persuade more people to feel that way.
Sedgewick addressed how the cybersecurity framework is being adopted during a panel Friday held by the U.S. Telecom Association. He said since it was released last year, he’s seen examples of “industry coming together” to carve out unique ways for the framework to fit their needs.
“We’ve seen technology companies use the framework to talk about products and services,” Sedgewick said. “We’ve seen the auditing community thinking about how this is a auditable document, we’ve seen state and local governments leveraging the framework to protect infrastructure.”
Sedgewick’s examples come as NIST continues to raise awareness on a national and international level. He said the agency is working on developing training materials that will advance the framework’s private sector use, including how it can be aligned with business processes and integrated into risk management.
Sedgewick reiterated that the private sector’s participation in the framework has been completely voluntary and shown “a lot of evidence of how industry can come together and develop solutions.”
“The ability to look over each other’s shoulder to understand practices is extremely beneficial,” he said.
Larry Clinton, CEO of the Internet Security Alliance, said a crucial way to make the framework beneficial is to measure how cost effective it is.
“The reality is if that we are going to have a voluntary system in a capitalistic economy, it’s going to have to be cost-effective. There is no other way to do deal with this,” Clinton said. “We need to integrate into how [companies] view risk, but we really need to integrate the NIST framework into profitability, into growth and into innovation. They’re all the same things.”
The telecom community is one sector figuring out how it can use the framework to develop best practices. Later this month, the Federal Communications Commission’s Communication, Security, Reliability and Interoperability Council will vote on a policy that will set industrywide security standards for telecom companies.
Sedgewick helped weigh in on that policy, saying it sets a tone for how other industries can view the framework.
“We think the report will really provide guidance to the sector,” Sedgewick said. “We were very happy with the process and we’re happy to contribute our thoughts on how the framework could contribute to the sector.”