An anonymous veteran left a brief comment yesterday on apost from this weekend about the newest request for information supporting the President’s cybersecurity EO. Kind words are always appreciated, but a very important point was made when the vet wrote:
“I will tamp down my cynicism momentarily and instead emphasize that I appreciate the opportunity for stakeholders to engage. There are many times when this opportunity is not even provided.”
In my criticism of the timing of the RFI I did not take enough time to recognize the fact that the agency did, in fact, request public participation in the formative stages of this rule making process. This whole Cybersecurity Framework process has been designed to encourage participation by the regulated community and that is always a good thing. While this inevitably slows down the process, it should ultimately make this voluntary-participation based program more successful.
The only real downside to date has been the relatively poor public participation, particularly from the subject matter experts in the cybersecurity community. I have been reminded though, through a variety of comments in discussions on this topic in LinkedIn groups that many organizations are providing more detailed comments through some of the less public venues provided for by the government. These are being utilized to provide for a fuller discussion of actual and perceived vulnerabilities that the organizations don’t want to become public.
But yes, Anonymous, a request for public comments, however late, is a good thing. Responses will make it even better.