In theory, there has been widespread public and private sector buy-in for NIST’s cybersecurity framework — private companies have submitted commentary, attended workshops and testified before Congress on behalf of the framework. But in the reality of adoption, many have worried private companies will not have enough incentives to adopt the voluntary framework.
Enter the White House. It collected incentive recommendations from three departments: Homeland Security, Commerce and Treasury. Tuesday, Michael Daniel, White House cybersecurity coordinator, released the first draft of a set of incentives, cautioning they “were developed in a relatively short time frame.”
The suggestions — eight in all — range from those easy to implement under President Barack Obama’s February executive order directing the creation of NIST’s cybersecurity framework, to some that would require an act of Congress, to others that would necessitate further collaboration with private industries.
Here they are, in the same order Daniel presented them in a blog post:
- Cybersecurity insurance: The insurance industry could develop a competitive cybersecurity insurance market, with reduced rates for companies that adopted various risk-reducing measures from the framework.
- Grants: The government could write into its grants conditions that companies must meet certain cybersecurity standards.
- Process preference: The government often provides technical assistance to companies operating critical infrastructure and could give priority to companies that have adopted the cybersecurity framework. Agencies already have the authority to do this without any legislation.
- Liability limitation: If companies were provided some liability protection from implementing the information-sharing portion of the cybersecurity framework, they might be more likely to adopt those portions. Providing liability protection would require a significant act of Congress.
- Streamline regulations: If the new cybersecurity framework overlaps with too many existing regulations, companies will be less inclined to adopt it. Agencies can work to eliminate these redundant and overlapping regulations.
- Public recognition: The government recognizing exemplary private industry adopters might drive competitors to adopt the framework as well.
- Rate recovery for price-regulated industries: Regulatory agencies setting utility rates could allow utilities recovery for cybersecurity investments needed to implement the framework.
- Cybersecurity research: After the release of the final framework, the government could point private industry to commercial solutions that would help implement the framework. It could also point out where solutions do not yet exist, driving industry competition to meet those needs.