Ride the Lightning

White House Orders NIST to Develop a New Cybersecurity Framework

August 31, 2021

Nextgov reported on August 25 that the National Institute of Standards and Technology will work with major tech and insurance companies to create a new framework to help companies build more secure software.

“The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” according to a fact sheet the administration issued following a meeting with industry leaders. “Microsoft, Google, Travelers, and Coalition committed to participating in this NIST-led initiative.”

Voluntary NIST frameworks have been the basis of U.S. cybersecurity policy starting in 2014, and the Biden administration is committed to maintaining as much of that approach as possible amid pressure to impose cybersecurity requirements because of the increasing number and severity of recent attacks.

“Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity,” White House Press Secretary Jen Psaki said during the press briefing when asked whether cybersecurity mandates might be necessary.

Google and Microsoft said they would spend $10 billion and $20 billion respectively in cybersecurity over the next five years. Google said its investment would “expand zero-trust programs, help secure the software supply chain, and enhance open-source security” and Microsoft said its contribution would be to “accelerate efforts to integrate cyber security by design and deliver advanced security solutions.”

Without saying how much it would spend, Apple committed to starting a program that will increase its suppliers’ adoption of multifactor authentication, security training vulnerability remediation, event logging and incident response. Amazon said it would provide free security awareness training to the public and a multifactor authentication option for customers of its web services.

Cyber insurance provider Resilience announced it will look to fulfill the security role of insurers by “requiring policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.”

Even if the government doesn’t mandate cybersecurity standards, insurance companies are increasingly mandating such standards by denying coverage if the standards are not met.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson