This is part of an on-going look at the responses
to the National Institute of Standards and Technology (NIST) latest
request for information (RFI) on potential updates to the Cybersecurity
Framework (CSF). A reminder, the comment period will remain open until February
9th, 2016. The previous posts in this series include:
As of this morning there are only one new response posted to
the RFI Response site. They come from:
Prevent Duplication
of Regulatory Processes
NIST question 9 asks:
“What steps should be taken to “prevent duplication of
regulatory processes and prevent conflict with or superseding of regulatory
requirements, mandatory standards, and related processes” as required by the
Cybersecurity Enhancement Act of 2014?”
Emblem Health suggested using the CSF as the basis of any
regulation noting: “If a minimum standard could be adopted that would allow health
care companies to have a target that if reached would provide some guidance to
the C-suite that the IT department had achieved the proper security level.”
Should CSF be
Updated?
NIST question 10 asks:
“Should the Framework be updated?”
Emblem Health responded that: “The framework should be
continuously reviewed and updated.”
Private Sector Involvement
NIST question 20 asks:
“What should be the private sector’s involvement in the
future governance of the Framework?”
Emblem Health suggested participation in a ‘governing committee’
would be an appropriate for private sector organizations to be involved in the
future governance of the Framework.
Commentary
This week’s response was submitted using the NIST template
and Emblem Health responded to nearly every question asked by NIST. The
responses were short and to the point. It would be helpful to NIST if all
responses were similarly prepared and targeted.
With less than two weeks left in the comment period, it is
very disappointing to see only seven comments submitted to date. Hopefully we
will begin seeing responses from corporate America next week.
Posts
No comments:
Post a Comment