Newsroom

January 19, 2018

NAFCU supportive of NIST framework updates

NAFCU supports the updates to the National Institute of Standards and Technology (NIST) cybersecurity framework as they effectively clarify significant cybersecurity concepts, wrote NAFCU Regulatory Affairs Counsel Andrew Morris in a letter to the institute Friday.

"NAFCU believes that continuous refinement of the Framework over time will also help non-regulated entities achieve the high standards set by financial institutions and ensure that regulatory expectations are aligned with objective, risk-based principles," he added.

In December, NIST issued a second draft update to its 2014 cybersecurity framework. Morris noted that many NAFCU members have benefited from NIST's consistent lexicon of cybersecurity terminology, which has informed development of the Federal Financial Institutions Examination Council's cybersecurity assessment tool. He added that the NCUA's cybersecurity examination procedures also substantially mirror the CAT's structure.

The NIST clarifications in this draft update regarding the relationship between tiers and maturity level is necessary to inform users of the framework and regulatory agencies that an "organization's desired maturity level should be risk-based and aligned with cost benefit analysis," Morris commented. This is an essential distinction, he added, since there is no one-size-fits-all approach to cybersecurity.

Morris provided further comments on the framework's revisions to the employment of measurements used by organizations, how an organization determines its cybersecurity maturity through use of the framework and the utility of information sharing.