Last week, the National Institute of Standards and Technology (NIST) issued the final cybersecurity framework (Version 1.0), as part of the implementation of the President’s Executive Order on “critical infrastructure” cybersecurity. This voluntary framework is intended to improve U.S. cybersecurity among all critical sectors, including financial services, and should complement existing standards and rules.
While the final framework is reviewed, the Missouri Credit Union Association (MCUA) believes NIST has taken positive steps by engaging with the financial sector, and has made improvements in the final framework, including by removing proposed Appendix B, which potentially would require a prescriptive set of steps regarding privacy and civil liberties.
MCUA continues to urge NIST and other government entities to coordinate closely with all financial regulators, including the National Credit Union Administration (NCUA), to ensure the framework is consistent with, and does not expand the scope of, existing rules and regulations for credit unions. They also continue to urge additional coordination on cybersecurity. In December 2013, MCUA submitted a comment letter on the preliminary framework, urging NIST to recognize existing, robust data security requirements and standards that apply to financial institutions. The Credit Union National Association (CUNA) and the Financial Services Sector Coordinating Council for Critical Infrastructure (FSSCC) met with senior NIST staff in August 2013 to discuss issues and next steps with the framework. The NIST framework will be updated and improved as industry provides feedback on implementation.