The U.S. government needs to make a “greater effort to coordinate the participation of its employees in international cybersecurity standards development to promote the cybersecurity and resiliency of U.S. information and communications systems and supporting infrastructures,” the National Institute of Standards and Technology (NIST) said in a draft report released for public comment on August 11.
The report is mandated to be provided to Congress as part of the Cybersecurity Enhancement Act of 2014, which requires NIST to work with relevant federal agencies to ensure interagency coordination “in the development of international technical standards related to information system security.” It was developed by the International Cybersecurity Standards Working Group, which was set up by the National Security Council's Cyber Interagency Policy Committee to draft the report. Public comments on the report are due September 24.
According to the draft report, the U.S. government strategic objectives for the development and use of international standards for cybersecurity include enhancing national and economic security and public safety; ensuring standards and assessment tools for the U.S. government are technically sound; facilitating international trade; and promoting innovation and competitiveness.
The report also includes recommendations for how the federal government can achieve those objectives by ensuring coordination; promoting participation in cybersecurity standards development; developing timely and technically sound standards and assessment schemes; leveraging public and private sector collaboration; enhancing international coordination and information sharing; supporting and expanding standards training for federal agency staff; developing technically sound international standards that minimize privacy risk; and using relevant international standards to achieve mission and policy objectives.
In making the case for better coordination with international standards, the report notes that the U.S. standards system differs significantly from the government-driven, centrally coordinated systems common in many other countries.
“Under the U.S. system, hundreds of standards development organizations (SDOs) provide the infrastructure for the preparation of standards documents,” NIST said in an online statement announcing the report. “While these organizations are overwhelmingly private sector, government personnel participate in standards development activities along with representatives from industry, academia, and other organizations and consumers.”
The 17-page draft report also includes an 87-page supplement, which provides a current summary of ongoing activities in critical international cybersecurity standardization, an inventory of U.S. government and private sector engagement, and information to help federal agencies and other stakeholders to effectively participate in international cybersecurity standards development.
According to NIST, the draft report “supports the 2010 United States Standards Strategy
, which was developed through a public-private partnership and outlines the contribution of private-sector led standards development to overall competition and innovation in the U.S. economy and the imperative of public and private-sector participation and collaboration.”