NAFCU Expresses Support For NIST’s Cybersecurity Framework

ARLINGTON, Va.—Updates to the National Institute of Standards and Technology (NIST) cybersecurity framework received support from NAFCU, which stated the changes effectively clarify significant cybersecurity concepts.
"NAFCU believes that continuous refinement of the Framework over time will also help non-regulated entities achieve the high standards set by financial institutions and ensure that regulatory expectations are aligned with objective, risk-based principles," wrote NAFCU Regulatory Affairs Counsel Andrew Morris in a letter to NIST.
In December, NIST issued a second draft update to its 2014 cybersecurity framework. Morris noted that many NAFCU members have benefited from NIST's consistent lexicon of cybersecurity terminology, which has informed development of the Federal Financial Institutions Examination Council's cybersecurity assessment tool. He added that the NCUA's cybersecurity examination procedures also substantially mirror the CAT's structure.
The NIST clarifications in this draft update regarding the relationship between tiers and maturity level is necessary to inform users of the framework and regulatory agencies that an "organization's desired maturity level should be risk-based and aligned with cost benefit analysis," Morris commented. This is an essential distinction, he added, since there is no one-size-fits-all approach to cybersecurity.
Morris also provided additional comments on the framework's revisions to the employment of measurements used by organizations, how an organization determines its cybersecurity maturity through use of the framework and the utility of information sharing.