This is part of a continuing series of blog posts looking at
the responses to a
joint request for information (RFI) from the National Telecommunications
and Information Administration (NTIA) and the National Institute of Standards
and Technology (NIST) to support their development of incentives to adopt the
improved cybersecurity practices being developed by the NIST as part of the
Cybersecurity Framework mandated by the President’s executive order on
cybersecurity (EO 13636).
The previous posts in the series are listed below.
With Monday being the deadline for filing comments on the
RFI there are only four new comments posted on the NTIA site. The comments are
from:
• Utilities
Telecom Council; and
• DCS
Corp
Cybersecurity
Insurance
The comments from both DCS Corp and Romanosky address the
issue of using insurance as part of the incentives package. Romanosky provides
a detailed discussion of both the theoretical basis for cybersecurity insurance
and how it could be used to incentivize increased cybersecurity protections.
The DCS Corp comments focus on how meeting the standards of the Cybersecurity
Framework could lessen the cost of such insurance. The Honeywell comments also
briefly favorably address using cybersecurity insurance as tool to encourage
voluntary framework compliance.
Utility Compliance
The comments from Utilities Telecom Council, not
unexpectedly, focus on cybersecurity incentives from a utility perspective. It
includes a brief discussion of tax incentives that could be applied to the
situation. More importantly, though, it makes the case for centralizing and
combining cybersecurity regulations to reduce the regulatory burden of trying
to comply with multiple regulatory agencies.
Framework then
Incentives
The Honeywell
comments make another important point; it is difficult to talk about incentives
to implement the Cybersecurity Framework without knowing what requirements may
be included in the Framework. The comments then go on to reiterate comments
that we have been hearing associated with CISPA; corporations need immunity
from civil suits for sharing cybersecurity information with the government and
acting in good faith on government supplied threat information, as well as
immunity from anti-trust actions for cooperating and coordinating cybersecurity
activities with other companies.
One Day Left
With only a single day left for submitting timely comments,
it will be interesting to see how many additional comments will be submitted. So
far, there has been no discussion about incentives for control system security
incentives for either owner/operators or system vendors. It has been an
extremely abbreviated comment period, but that was necessitated by the short
time frame the President set forth in the cybersecurity EO.
Posts
No comments:
Post a Comment