Engaging the International Community on Cybersecurity Standards

U.S. companies are most effective when they can rely on the same cybersecurity standards overseas as they do in the United States. Not only do common standards make it easier for product development and sales, companies can more easily maintain and enhance network defense and resilience, which are vital in today’s world of diverse cyber threats.  That’s why I am pleased to announce the release of a new strategy to improve the U.S. government’s participation in the development and use of international standards for cybersecurity. This new report, entitled “Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity ” and “Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity,” articulates U.S. government strategic objectives and outlines recommendations to achieve those objectives.

The U.S. approach to developing international standards relies on hundreds of mostly non-governmental organizations to develop standards and specifications and to provide the infrastructure for the preparation of standards documents.  This approach allows the users of standards, as well as representatives from industry, academia, and government, to all participate in the standards development process. The U.S. Government receives no preferential treatment in this process. This non-governmental approach yields standards of better technical rigor and industry uptake, helps support innovation, and enables the rapid adaptation and evolution of standards.

When used to support cybersecurity standards, this development structure helps improve the effectiveness of those standards in promoting security and resiliency of critical information and communications infrastructure internationally.  The process also builds trust among those creating and those using the solutions throughout the world.  These standards include cybersecurity measures that are necessary to protect everyday applications such as online commerce, smart electricity meters, networked medical devices, and online banking.  Simply put, we believe that a consensus-based, private sector-driven international standards development process, with input from all interested stakeholders, is superior to a top-down, national government-controlled approach to standards.  We are committed to advocating for the adoption of a global approach to standards development around the world.

The report supports the 2010 United States Standards Strategy, which was developed through a public-private partnership coordinated by the American National Standards Institute, and outlines the contribution of private-sector led standards development to competition and innovation in the U.S. economy and the imperative of public and private-sector participation and collaboration. The strategy is also fully consistent with the standards-related provisions of the National Technology Transfer and Advancement Act, as well as OMB Circular A-119, which sets out Federal standards policy.

The Cybersecurity Enhancement Act of 2014 directed the National Institute of Standards and Technology (NIST) to work with relevant federal agencies to ensure interagency coordination in “the development of international technical standards related to information system security” and to “ensure consultation with appropriate private sector stakeholders.” NIST worked with those agencies, and consulted with the private sector, in the development of a strategy to implement the Act via a newly established International Cybersecurity Standards (ICS) Working Group. The ICS Working Group has now been asked to coordinate implementation of the recommendations in the report.  The Working Group looks forward to working with private sector partners on implementation in 2016.

J. Michael Daniel is Special Assistant to the President and Cybersecurity Coordinator