ETA Comments on NIST Cybersecurity Framework

December 13, 2013

VIA EMAIL TO [email protected]

Information Technology Laboratory
Attention: Adam Sedgewick
NationalInstituteofStandardsand Technology
100 Bureau Drive, Stop 8930
Gaithersburg,Maryland 20899

RE: Preliminary Cybersecurity Framework Comments

Mr. Sedgewick:

The Electronic Transactions Association (ETA), an international trade association representing companies who offer electronic transaction processing products and services, submits the following comments in response to the release of National Institute of Standards and Technology’s (NIST) October 22 Preliminary Cybersecurity Framework (the Framework) for improving critical infrastructure cybersecurity.

The ETA is pleased that the Framework relies on existing standards, guidance, and best practices to assist organizations in managing cybersecurity risks. By relying on practices developed, managed, and updated by industry stakeholders, the Framework should afford the payments industry a flexible, dynamic approach to matching business needs with cybersecurity improvements.

On the other hand, there is concern that the Framework’s recommendations will become de facto obligations or will eventually be made mandatory by agencies charged with evaluating the adequacy of existing regulations.  In short, it is not clear what it will mean to “adopt” the framework.  There is additional concern that the Framework’s blanket approach could stymie implementation by stakeholders with distinct threat and risk considerations (i.e., the Framework does not include a standards development process specific to the payments industry).

Finally, Appendix B of the latest iteration of the framework includes onerous and unclear articulations of privacy protections.  The privacy requirements outlined in Appendix B are stricter than what many ETA members currently operate under, and small- and medium-sized entities may not be equipped to adhere to such an excessive and complex framework.  It is ETA’s suggestion that NIST revise or pare down Appendix B as its inclusion in the cybersecurity framework may compromise the broad adoption NIST is envisioning.

As the Framework’s finalization proceeds, the ETA is available to share information regarding the standards, guidelines, and processes unique to the payments industry.

Respectfully submitted,

The Electronic Transactions Association
1101 16th Street NW, Suite 402
Washington,D.C.20036
(202) 828-2635
Point of contact:  Jaime Graham