FCC Advisory Committee Adopts Landmark Cybersecurity Risk Management Best Practices
It has now been over two years since President Obama announced, during the 2013 State of the Union address, an Executive Order on improving infrastructure cybersecurity. The Executive Order, among other important directives, required the National Institute of Standards & Technology (NIST) to craft a voluntary Cybersecurity Framework, along with a roadmap for future areas that the Framework may explore.
TIA heavily participated in the process of the Framework's development, urging NIST to preserve the flexibility and the ability to innovate, to defer to successful public-private partnerships, and to recognize the necessity of international approaches and standards (we have discussed the Framework and TIA's views here). We believe that the Framework reflects these priorities, and have also offered additional recommendations to NIST in further development of the Framework. To find these documents and learn much more about the Framework, just visit NIST's website.
Since the Framework’s release, there have been a number of proposals on how it should be used in different sectors. TIA agrees with the Framework’s authors – NIST – and many others that the Framework is a voluntary means – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure, which does not inform a mandatory or regulatory approach.
That is why TIA was pleased to take a leadership role over two years ago in the Federal Communications Commission’s (FCC) Communications Security, Reliability, and Interoperability Council (CSRIC) effort to craft guidance on how to secure communications critical infrastructure. After two years of work, the CSRIC voted to adopt the long-awaited report titled Cybersecurity Risk Management and Best Practices. This report thoroughly lays out voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise through the application of the NIST Cybersecurity Framework (or an equivalent construct).
This report not only provides guidance to communications sector stakeholders, but also serves as a model for industry members and policymakers globally, and reinforces the success of the voluntary public-private partnership model which TIA and many others advocate as the most effective means to improve cybersecurity for critical infrastructure.
TIA congratulates the CSRIC members and the FCC in the release of this landmark report and recommendations towards improving cybersecurity for communications critical infrastructure, and looks forward to future involvement in efforts to enhance cybersecurity through collaboration with key private and public stakeholders, both in the CSRIC and in other important venues.