Over the past several weeks, I’ve visited several national capitals to address cybersecurity concerns with policymakers and industry leaders. One shared challenge facing governments and critical sectors worldwide is the need for a common baseline of cybersecurity risk management guidance that can be utilized by organizations at different levels of sophistication. Often, these discussions turn to the Cybersecurity Framework issued earlier this year by the U.S. National Institute for Standards and Technology (NIST). The Framework helps to meet this challenge, and it offers the opportunity for further international collaboration because it is rooted in widely-recognized international and national standards and practices.
Microsoft recently filed comments in response to NIST’s Request for Information (RFI) about our experience with the Cybersecurity Framework. We were pleased to provide our perspective and we commend NIST for continuing its commitment to transparency in the Framework development process. With just over six months having passed since the Framework’s release, it is an opportune time for feedback about the Framework and implementation of the underlying Executive Order (EO) on Improving Critical Infrastructure Cybersecurity.
In our comments, Microsoft emphasizes three key considerations for NIST and the U.S. Government as the Framework matures and EO implementation continues:
- Microsoft’s security policies and practices are consistent with the Framework’s security guidance, as demonstrated by our certifications against two of the foundational standards that support the Framework, ISO 27001 and NIST SP 800-53.
- Microsoft is concerned that without further implementation of the Framework-support mechanisms outlined in the EO, such as incentives for Framework usage, there may be insufficient market drivers for some organizations to use the Framework.
- In addition to creating incentives, the U.S. Government should focus on international harmonization of cybersecurity requirements and guidance, with the Framework as a baseline for that outreach.
Microsoft’s comments about the need for incentives and further international engagement are reflective of our desire to see the Framework emerge as a global reference point for cybersecurity risk management. Today, while many domestic and international organizations may be aware of the Framework, their understanding of its intended use cases and substantive guidance is likely to be low. Delivering incentives for Framework use, as called for in the EO, could help drive Framework usage by creating a stronger market case for the Framework. Microsoft will continue to invest in cybersecurity risk management because it clearly aligns with our customers’ interests; other organizations may not feel compelled to do the same without government incentives. Likewise, a concerted effort by the U.S. Government to explain the Framework to its foreign counterparts would support a globally-harmonized baseline for cybersecurity risk management. This outcome depends upon public sector leadership and investment.
For our part, Microsoft will continue to help advance the Framework through direct outreach in the United States and beyond. We have supported the U.S. Chamber of Commerce’s nationwide outreach to small and medium-sized enterprises, including our participation in an event near our global headquarters in Washington State. We have also joined NIST and industry colleagues for outreach to the Governments of Japan and Korea through a mission organized by the Information Technology Industry Council (ITI). Through these initiatives and others, we aim to create an environment that enables the Framework to succeed.
Microsoft looks forward to continued engagement with NIST and our government and industry partners to advance cybersecurity risk management initiatives, including the Framework. We invite you to learn more about our perspectives on cybersecurity at www.microsoft.com/cybersecurity.