Two documents published in the Federal Register within the last week highlight how the Treasury Department is embracing a more active role for itself in protecting critical infrastructure in the financial sector from cybersecurity attacks, including by promoting industry’s perspective.
Treasury’s Office of Cybersecurity and Critical Infrastructure Protection will take comments through March 23 on a proposal issued Wednesday toward identifying “cybersecurity and operational risks to and interdependencies within U.S. financial services sector critical infrastructure and to work collaboratively with industry and interagency partners to develop risk management and operational resilience initiatives.”
Under the Paperwork Reduction Act, the office can currently only collect information from a maximum of nine companies at a time, a senior cyber policy advisor for Treasury explained.
If approved, OCIP’s proposal would allow Treasury to engage with a broader array of stakeholders and to have a written record in response to questionnaires the department hopes to issue in the future.
“Part of our mission space is looking at the implementation of best practices,” Treasury official Elizabeth Irwin told Nextgov, noting the National Institute of Standards and Technology’s Cybersecurity Framework is one such example.
“People have said, ‘yes we’ve implemented it,’ but we would like a little more fidelity into what that looks like,” she said, adding Treasury might want to ask firms, “Which parts have you implemented? Which parts do you think are useful? Which parts do you think are less useful?”
Irwin said firms’ responses to such questions “can inform our conversations with NIST and lets us be an advocate for them.”
In general, Irwin noted that Treasury is not a regulator and entities would voluntarily respond to ..
Support the originator by clicking the read the rest link below.
