Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-20-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous post in the series is listed below.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-13-13

This week there were only two responses to the RFI. They came from a lawyer, Gary Fresen, and from the Advanced Cyber Security Center (ACSC).

Private Sector Information Sharing Centers

 The ACSC response proposes the establishment of four regional private sector entities to provide a forum for the discussion and dissemination of cybersecurity information including threat and response information. It notes that these regional information sharing centers would be patterned on their organization which has successfully set up a forum in the Boston area for this type of information sharing with weekly meetings allowing face to face exchanges.

Privileged Communications

Mr. Fresen proposes setting up a new class of privileged communications that would allow for the internal collection and analysis of cybersecurity information in critical infrastructure organizations and the privileged sharing of that information with the appropriate ISACs and CERTSs. The detailed proposal includes legislative language for the establishment of that new class of privileged communications.

Moving Forward

As I noted in my post about the RFI the short deadline for this RFI is necessitated by the time constraints set forth in the Executive Order. It may be disappointing to see only a total of three comments submitted to date, it usually takes at least a month for corporate type responses to these RFI. With only nine-days left in the comment period, I suspect that we will be seeing a number of comments coming in the next week.