This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:
As of this morning there are only one new response posted to the RFI Response site. They come from:
Prevent Duplication of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”
Emblem Health suggested using the CSF as the basis of any regulation noting: “If a minimum standard could be adopted that would allow health care companies to have a target that if reached would provide some guidance to the C-suite that the IT department had achieved the proper security level.”
Should CSF be Updated?
NIST question 10 asks:
“Should the Framework be updated?”
Emblem Health responded that: “The framework should be continuously reviewed and updated.”
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the future governance of the Framework?”
Emblem Health suggested participation in a ‘governing committee’ would be an appropriate for private sector organizations to be involved in the future governance of the Framework.
This week’s response was submitted using the NIST template and Emblem Health responded to nearly every question asked by NIST. The responses were short and to the point. It would be helpful to NIST if all responses were similarly prepared and targeted.
With less than two weeks left in the comment period, it is very disappointing to see only seven comments submitted to date. Hopefully we will begin seeing responses from corporate America next week.