February 11, 2014

NIST cybersecurity framework out this week

Feb. 12, 2014 – The National Institute of Standards and Technology could, as early as today, release its cybersecurity framework for reducing risks to critical infrastructure, a move supported by NAFCU given its voluntary guidelines and the impact recent cybersecurity attacks have had on the financial industry.

Data SecurityAn article in BankInfoSecurity noted that the framework has five functions – "identify, protect, detect, respond and recover" – which it says will help an organization manage its cybersecurity risks. Once the framework is released, NAFCU will seek input from its members.

During the past year, NAFCU participated in a meeting with representatives from the Financial Services Sector Coordinating Council for Critical Infrastructure Protection, of which NAFCU is a founding member, and NIST, to discuss the framework. Last April, NAFCU submitted a comment letter to NIST on its initial notice of inquiry regarding the framework. NAFCU supported the initiative as it is voluntary, but it urged NIST to not take a one-size-fits-all approach as it develops the framework.

NAFCU's five-point plan also calls on Congress to take a 21st century approach to data security. Specifically, it is pressing for national standards on merchant data security, liability if such standards are not met and immediate notification to financial institutions and their account holders when breaches occur.

A year ago in February, the president signed an executive order that addresses information sharing, privacy and the development of voluntary standards with industry partners. This cybersecurity framework is a part of that effort.