What they’re saying about the cybersecurity framework

The National Institute of Standards and Technology and the Homeland Security Department released the document that focuses on risk management and flexibility to assist the nation’s critical infrastructure providers and other businesses improve their cybersecurity.

Government officials, associations and companies are offering insight and comments on version 1 of the Framework for Improving Critical Infrastructure Cybersecurity.

President Barack Obama:

“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity. America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.


I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my Administration will continue to take action, under existing authorities, to protect our nation from this threat.”

Sen. Tom Carper (D-Del.), the chairman of the Homeland Security and Governmental Affairs Committee:

“Thanks to these efforts, companies now have a common, but flexible path forward to better secure their systems and also a meaningful way to measure their progress. We must now focus like a laser on ensuring widespread implementation of the framework in order to effectively protect our national and economic security. To that end, I encourage industry to continue to be good partners in this effort and implement the framework they created. Although the release of this framework is an important step in our ongoing efforts to improve cybersecurity, I still believe that legislation is necessary to address this ever growing threat. I will continue to work with my colleagues on this important issue to ensure that Congress steps up to the plate and does its job to help protect our nation’s critical systems.”

Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), chairman and ranking member of the Select Committee on Intelligence:

“We are still studying the final version of the National Institute of Standards and Technology’s Cybersecurity Framework, but they are certainly to be commended for the collaborative, voluntary process they used to build it. However, as the President indicated in his statement, this framework addresses only part of the security challenges. Passing effective cyber threat information sharing legislation is essential to helping American companies cope with the relentless cyber attacks that they face every day from nation-states like China.”

Cyrus Amir-Mokri, the assistant secretary for financial institutions at the Department of the Treasury:

“The framework enables firms of all sizes to use benchmarks to guide cybersecurity activities and consider cyber risks as part of the organization’s overall risk management processes. Over the past year, Treasury, as the sector specific agency for the financial services sector, has worked closely with the industry, independent financial regulators, and other government partners to provide input and shape the framework. For larger firms with already robust cyber risk management, this framework can serve to highlight specific best practices and standards that might be used. These organizations may also use the framework to evaluate the cybersecurity of clients and customers. Smaller institutions may use the framework to better understand their risk profile and establish protocols for ensuring proper controls are in place to meet that profile.”

Renee James, president of Intel:

“Improving cybersecurity in ways that promote innovation and protect citizens’ privacy is the only way to preserve the promise of the Internet as a driver of global economic development and social interaction. Intel applauds the Administration and the National Institute of Standards and Technology for constructing the cybersecurity framework hand-in-hand with industry and other stakeholders, building a model of a voluntary, risk-based tool that can be utilized by a broad array of organizations.”

Larry Clinton, president of the Internet Security Alliance:

“The most important element of the effort so far is that we have moved away from trying to impose a government centric set of mandates on industry and instead are attempting to create a program based on industry developed standards and practices where voluntary adoption is motivated by market incentives. This is the most pragmatic path to achieving cyber security because each critical infrastructure system is different and the technology and attack vectors change too quickly for a set of government regulations to keep pace.”

Dean Garfield, president and CEO of the IT Industry Council:

“The Framework represents an effective approach to cybersecurity because it leverages public-private partnerships, is based on risk management, is voluntary, and points to globally recognized, consensus-based standards and best practices.”

Bob Dix, Juniper Networks vice president of government affairs and public policy and chairman of the Partnership for Critical Infrastructure Security:

“The NIST Cybersecurity Framework announced today is a laudable first step toward addressing the challenges we face. However, it’s just a first step, and there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure. Without a coordinated and sustained approach, the bad guys will likely stay one step ahead.”

Ken Wasch, president of the Software and Information Industry Association (SIIA):

“A critical cybersecurity priority for SIIA is to preserve IT innovation and technology neutrality, and we are confident that this Framework will help achieve those goals. We look forward to continue collaborating with NIST as they identify gaps and evolve the framework, and with the Department of Homeland Security as they work to implement this. SIIA and its members are committed to promoting the voluntary use of the framework by entities seeking to improve their cybersecurity preparedness.”

Grant Seiffert, president of the Telecommunications Industry Association (TIA):

“Even with today’s release, the full story of the framework has not yet been written. As various agencies work to adapt and implement the framework, policymakers must ensure that the framework’s flexibility and benchmarks are not inadvertently transformed into a restrictive regulatory regime. If that were to happen, it would undermine the core goals of the framework and impair the ability of ICT manufacturers and owners and operators of critical infrastructure to respond to rapidly-emerging threats. With many other countries also looking to the United States for leadership, TIA has also worked with NIST to ensure that the framework is not perceived by these governments as an endorsement of inflexible mandates.”

Virginia Sloan, president of The Constitution Project:

“Effective cybersecurity is not possible without robust privacy protections. While we believe that the Fair Information Practice Principles will need to play a larger role in future versions of the framework, we recognize that setting out a process for considering privacy measures is a significant first step.”

Ann Beauchesne, the U.S. Chamber of Commerce’s vice president of national security and emergency preparedness:

“The chamber has valued NIST’s involvement with the cybersecurity framework as they have treated the business community as a genuine partner in identifying existing cybersecurity standards and practices that are effective in improving security and resilience. Much still remains to be seen in terms of how the cyber framework is implemented and revised, especially the roles that regulatory agencies and departments will play. However, the Chamber believes that the framework will be fundamentally incomplete without the enactment of information- sharing legislation. Businesses need policies that foster public-private partnerships-unencumbered by legal and regulatory penalties-so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies. We will continue to work with Congress toward this goal.”


White House cyber framework focuses on flexibility, risk for critical infrastructure providers