The Communications Sector Coordinating Council (CSCC) would like to thank the ISAO Standards Organization, working group leads, and members that have contributed to the draft guidelines published in July. We believe that the current drafts are trending in the right direction, as they move towards providing greater flexibility and less rigid standards. We look forward to ongoing participation in the process. However, as we noted in our joint letter with the Communications Information Sharing and Analysis Center (Comms-ISAC), the Information Technology ISAC (IT-ISAC) and the IT-SCC dated June 16, there remains some areas of significant concern. The purpose of this letter is to reinforce some of these concerns that we believe the Standards Organization needs to address in future drafts.
The CSCC’s primary concern is that the ISAO Standards Organization is driving a process that is divorced from the initial goals of Executive Order 13691 – Promoting Private Sector Information Sharing. Based on the EO and ongoing discussions with the Administration, the ISAO section of the Executive Order was an opportunity to enable entities that may not be identified as critical infrastructure, and thus are not a member of an existing ISAC, to create an organization to enhance cybersecurity threat information sharing. One of the principal purposes for the development of ISAO was to fill in the gaps for entities that did not have an ISAC or others organized means to engage in information sharing, which is an objective widely supported by industry, including the CSCC. However, as outlined in our June 16 letter, we remain concerned that the Standards Organization is driving towards a structure that is needlessly complex, overly rigid and unlikely to be viable for many private sector companies, particularly for small and medium sized entities. In short, the current draft ISAO guidelines are inconsistent with the underlying goals and objectives provided in Executive Order 13691.
The CSCC is particularly concerned by the discussion within the standards development process about the concept of a third party certification model. In our view that is inconsistent with the concept of a flexible, voluntary construct. While Executive Order 13691 does call for the Standards Organization to develop baseline capabilities for ISAOs, it is important for that baseline, like the highly successful NIST Cybersecurity Framework, to be more process oriented and not based on a rigid set of standards. A focus on processes vs. standardization is something that was widely discussed throughout the development of the NIST Cybersecurity Framework. A major component of the success of the Framework has been because the Framework enables different companies or entities to shape the processes to best fit their needs. The ISAO Standards Organization would be well advised to follow a similar model.
Furthermore, there seems to be an apparent presumption towards automated sharing and other mechanisms that may not prove viable for small and medium sized entities. As the CSCC noted in its June 16 letter, the ISAO process should not assume “one size fits all” and instead should provide the flexibility for a variety of types, sizes and structure to emerge. Thus, the standards should continue to be viewed as guidance and not best practices or be overly rigid.
Moreover, some of the draft guidelines may undermine the liability protections in the Cybersecurity Information Sharing Act of 2015 (CISA), which are critical to many private entities’ willingness to engage in cybersecurity threat information sharing. This is due to the seeming inconsistencies between how the ISAO draft guidelines treat personally identifiable information (PII) and how CISA treats personal information. The personal information provisions in the final ISAO guidelines should be consistent with CISA to encourage participation. For example, in the privacy section of the draft guidelines the core principles reference actions ISAO members should take in relation to PII. ISAO members are “encouraged to identify and contribute indicators that are critical to identifying the threat and…minimize the PII shared with the ISAO or other members to ensure compliance with all existing privacy regulatory and legal requirements at the Federal, State, Local and International level.”
While entities must comply with applicable law, this statement could be interpreted by some as being inconsistent with CISA because it arguably requires the minimization of PII regardless of whether it is related to the threat or known at the time of sharing. CISA requires that an entity, prior to sharing, review the indicators to determine whether they contain any information not directly related to a cybersecurity threat that is known to the entity at the time of sharing and remove that information, or implement and utilize a technical capability configured to remove the personal information, again not directly related to a cybersecurity threat known to the entity. The relation to a cybersecurity threat and the “known” factor are extremely important CISA provisions. We strongly encourage the Standards Organization to ensure that the language included in the privacy and security sections is consistent with, if not identical to, the language and concepts within CISA and thus not inconsistent with the intent of Congress.
As noted above, we believe that the Standards Organization is trending in the right direction and are optimistic that these remains issues can be addressed. We look forward to continuing to participate in the process and thank you in advance for your consideration and review.