WASHINGTON—NAFCU said it fully supports the National Institute of Standards and Technology's efforts to revise its cybersecurity framework and "finds that Version 1.1 offers both improved utility and better explanations for key cybersecurity concepts," NAFCU's Andrew Morris said in a comment letter to the institute.
"NAFCU believes that continuous refinement of the framework over time will help non-regulated entities achieve the high standards set by financial institutions and ensure that regulatory expectations are aligned with objective, risk-based principles," wrote Morris, NAFCU's regulatory affairs counsel.
In January, NIST issued a draft update to its 2014 cybersecurity framework. Morris noted that many NAFCU member credit unions have benefited from NIST's framework as it has aided in the development of the Federal Financial Institutions Examination Council's cybersecurity assessment tool. He added that the NCUA's future cybersecurity examination procedures may "substantially mirror the CAT's structure."
Morris said NIST's clarifications regarding supply chain risk management and the use of the framework's implementation tiers will help credit unions understand risks relative to other financial sector stakeholders.
He commended the proposal's "forward-looking emphasis" in its use of metrics and measures but said NAFCU does not believe that portion of the framework is well-suited for compliance-oriented credit union examinations. "To offset the risk of an ever-expanding list of metrics examined by regulators, NAFCU agrees with NIST that any measurement system should be designed with business requirements and operating expenses in mind," he wrote.
Morris added that NIST "should continue to work with other regulators and industry stakeholders to clarify how the framework should be used or adopted, and emphasize that there is no one-size-fits-all approach to cybersecurity."
Separately, CUNA and the Independent Community Bankers of America have also sent a comment letter to NIST stressing the need for flexibility to be maintained in cybersecurity standards.
“We are urging the agency not to create a set of rules that is one size fits all,” said Lance Noggle, CUNA senior director of advocacy and counsel.