What more can policymakers do?
Some policy proposals to improve cybersecurity would designate or mandate specific technologies, business practices, or risk management measures. Policymakers should:
• Ensure any proposals are technology neutral and flexible enough to promote technological innovation. Congress and the Administration can both contribute to this effort.
• Utilize and support processes for developing best practices that are industry-led. Congress and the Administration can both contribute to this effort.
• Actively encourage and support the global standards development work undertaken through proven private/public partnerships and the diversity of standards development organizations. Congress and the Administration can both contribute to this effort.
• Minimize or eliminate different or conflicting security requirements and policies existing within or among U.S. Federal agencies that should be adhering to common sets of requirements and policies established for civilian and defense/ intelligence networks. Congress and the Administration can both contribute to this effort.
• For U.S. Federal systems, rationalize and streamline security requirements that have become unnecessarily burdensome, such as extensive paperwork mandates and inordinately lengthy testing, certification, and accreditation requirements. This will allow acquirers to more quickly adopt the latest, most secure solutions and practice more effective operational risk management and continuous monitoring. Congress and the Administration can both
contribute to this effort.
• When attempting to address new security threats to U.S. Federal systems, determine which current or emerging federal security requirements or frameworks could adequately address these threats before proposing new requirements, authorities, or review processes. Congress and the Administration can both contribute to this effort.
• When updated requirements for U.S. Federal systems are determined necessary, ensure that they build upon, modify, or replace existing requirements so as to maintain a clear, streamlined, and integrated approach to federal cybersecurity. Congress and the Administration can both contribute to this effort.
• Promote greater research and development (R&D) in cybersecurity such as by 1) extending and making permanent the R&D tax credit, and 2) supporting long-term government R&D in cybersecurity, such as by increasing funding for the federal Networking and Information Technology Research and Development (NITRD) Program. Congress should lead on this effort.
• Actively support and fully operationalize industry-government partnerships to identify, sort, and prioritize cyber threats to ensure approaches to security are adaptive, appropriate, and effective. Congress and the Administration can both contribute to this effort.
• Leverage existing partnerships and efforts in the area of critical infrastructure protection before broadening the scope and definition of “critical infrastructure” or increasing regulations in this area. Congress and the Administration can both contribute to this effort.
• Convene a discussion with all interested stakeholders on whether and how to update the definition of “critical infrastructure” and develop a dynamic assessment model that can respond to changing technologies and risks. The Administration should lead on this effort.
The IT Industry’s Cybersecurity Principles for Industry and Government
PAGE 15
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24