On May 16-17, Microsoft participated in a workshop organized by the National Institute of Standards and Technology (NIST) on its recently released Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) Draft Version 1.1. It was a useful discussion, not least because it showed NIST’s continuing commitment to engage in genuine multi-stakeholder dialogue in the development of cybersecurity guidelines and risk management practices. As a colleague of mine wrote some time ago, “Proactive, structured engagements, using public consultation, open workshops with diverse stakeholders, including industry experts, and iterative drafts, really does yield products that are more relevant to the challenges at hand and useful to stakeholders.”
The topical additions to Draft Version 1.1 of the Framework, specifically supply chain security and cybersecurity metrics, show both the durability of the overall approach and its ability to accommodate evolving needs. However, changes must be incorporated in a way that preserves and strengthens the Framework’s broad usability. In particular, Microsoft identified two key areas that should be revised consistent with that goal:
- Approaches for understanding risk management posture and goals, including the measurement and metrics guidance, should be developed in supplementary documents rather than in the Framework itself because these approaches are not yet sufficiently stable nor adequately mature.
- Supply chain risk management should be integrated throughout the Core’s Subcategories and Informative References rather than within the Implementation Tiers to reduce confusion about how to use the Tiers.
Microsoft has supported the Framework since its inception, and it is integrated into our enterprise risk management program. It influences our security risk culture and informs how we communicate about security capability maturity across our senior management and with our Board of Directors. In conversations with customers, partners, and other industry stakeholders, Microsoft has learned that our positive experience is not unique. In fact, since 2014, the Framework has gained broad recognition as effective guidance for cybersecurity risk management due to its applicability across sectors and organizations of different sizes.
This broad usability has meant that the Framework has gained traction internationally. As governments around the world develop, update, and implement legislation, regulation, or guidelines to protect critical infrastructures, the Framework – as a cross-sector baseline to manage cybersecurity risks – can inform these national efforts and promote interoperability across jurisdictions. Italy and Australia, for example, have already done so. But more can be done. Microsoft continues to advocate for the U.S. Government to promote use of the Framework domestically and abroad. There is not only an opportunity, but rather a need to internationalize the approach of the Framework. Greater use of will help to enhance cybersecurity across the globe, and importantly, advance economic growth.
To do so, the U.S. Government should promote the Framework globally as the keystone economic objective of this Administration’s international strategy and engagements on cyber. Its efforts should be coordinated across agencies and the opportunities afforded by their missions. For example, the Department of Commerce should highlight the benefits of interoperability to other countries’ economies and security in bilateral, multi-lateral, and regional trade missions and negotiations; NIST should move relevant parts of the Framework into an international standards body; and the State Department should translate the Framework into at least the six official languages of the United Nations and promote the Framework in bilateral engagements, regional and multilateral forums.
As a provider of technology products and services to more than one billion customers and around the world, Microsoft is immensely supportive of approaches such as the Cybersecurity Framework. We have collaborated with domestic and international partners on the Framework, and remain committed to working with industry and government to use, promote, and strengthen approaches that are based on both international standards and public-private dialogue and partnership, which this May’s workshop exemplified.
Microsoft submitted comments on Framework Draft Version 1.1.