The National Association of Federally Insured Credit Unions (NAFCU) voiced its support this week for updates to the National Institute of Standards and Technology (NIST) cybersecurity framework.
The NIST updated its 2014 cybersecurity framework in December. The update focuses on the relationship between tiers and maturity level regarding cybersecurity, which NAFCU said is a necessary change.
In a comment letter to NIST, NAFCU Regulatory Affairs Counsel Andrew Morris stated that an organization’s desired maturity level should be risk-based and aligned with cost-benefit analysis. This is an essential distinction, Morris added, since there shouldn’t be a one-size-fits-all approach to cybersecurity.
“NAFCU believes that continuous refinement of the framework over time will also help non-regulated entities achieve the high standards set by financial institutions and ensure that regulatory expectations are aligned with objective, risk-based principles,” Morris wrote.
Morris stated in the letter that many NAFCU members have benefited from NIST’s lexicon of cybersecurity terminology. He claimed it has informed the development of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool, as well as the National Credit Union Administration’s cybersecurity examination procedures.
Morris also commented on the framework’s revisions to the employment of measurements used by organizations, how an organization determines its cybersecurity maturity through use of the framework, and the utility of information sharing.