Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

White House RFI : Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations #9

Closed
Tracked by #8
mcleo-d opened this issue Aug 29, 2023 · 6 comments
Closed
Tracked by #8

White House RFI : Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations #9

mcleo-d opened this issue Aug 29, 2023 · 6 comments
Labels
All Working Groups Work related to project wide scope help wanted Extra attention is needed important Items marked as important

Comments

@mcleo-d
Copy link
Member

mcleo-d commented Aug 29, 2023
edited
Loading

Description

FINOS requests that Common Cloud Controls leads the response to the White House RFI highlighted in this issue and in the attached PDF. Please feedback the project's appetite in the comments so the response can be planned.

Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations

The White House Office of the National Cyber Director (ONCD) is announcing a request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity. The RFI builds on the commitment the Administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The RFI advances one of the 69 initiatives that were released last week as part of the National Cybersecurity Strategy Implementation Plan.

When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers. Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments. Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.

ONCD is seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements. Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors. While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation. The technological commonalities also mean that baseline risk mitigation measures are likely to be common among entities and sectors.

ONCD-Reg-Harm-RFI-Final-July-19.2023.pdf

GitHub Issues for Questions 3, 4 and 7 Response

Shared Google Doc for White House RFI Response

Please find the shared Google Doc for White House RFI response below ...
-https://docs.google.com/document/d/1qIgjIVQtQgNd-DdhzVia_VKhWa_gsV5maPDQG-KzyXI/edit?usp=sharing
@mcleo-d mcleo-d added All Working Groups Work related to project wide scope help wanted Extra attention is needed labels Aug 31, 2023
@mcleo-d mcleo-d mentioned this issue Sep 5, 2023
Closed
15 tasks
@mcleo-d mcleo-d added the important Items marked as important label Sep 11, 2023
@vicenteherrera
Copy link
Contributor

Count with me:
Vicente Herrera (Control Plane)

@mcleo-d
Copy link
Member Author

mcleo-d commented Sep 26, 2023

Below is a rough outline of a FINOS response to the White House RFI that will form the basis of the upcoming kick off meeting on Thursday 28th September.

Introduction (1-2 paragraphs)

  1. About FINOS – “The Fintech Open Source Foundation (FINOS) is an independent, nonprofit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. FINOS members include… ”

  2. About the Common Cloud Controls (CCC) – “Originally proposed by Citi, FINOS is leading an industry effort to describe consistent controls for compliant public cloud deployments in the financial services sector.”

  3. Response Contents – “Our response to the RFI is limited to detailing how the CCC fosters harmonization across CSPs, which will help meet many of the goals of the RFI, including reducing inconsistencies and redundancies. By shifting some of the responsibility away from government and onto the industry – CSPs and their critical-sector clients – the CCC will reduce the risk of regulatory conflict, overlap and contradiction. Our response is relevant to questions 3, 4, and 7 within the RFI…”

Common Cloud Controls

  1. Recognize the importance of cybersecurity-related standards and third-party frameworks (e.g., MITRE Attack Framework, NIST CSF) (Questions 3 & 4)

  2. Why controls for CSPs? – “While various standards and frameworks exist for cybersecurity, there is currently a lack of common controls for CSPs. CSPs have different definitions and structures for their control-related offerings, creating fragmentation and complexity in shifting workloads from one CSP to another. The CCC could help address concentration risk and enhance cyber resilience through consistency…” (Questions 3c & 7)

  3. Challenges the CCC will address – concentration risk, inconsistent cyber controls, regulatory fragmentation, etc.

  4. Ask – “We encourage regulators to endorse the industry’s adoption of the CCC. Converging around a set of common standards for CSPs would help regulators avoid the need to issue overly-detailed rules, which would further risk contradiction or overlap between regulatory requirements.”

Conclusion

  1. Thanks – “We appreciate the opportunity to respond…”

@mcleo-d
Copy link
Member Author

mcleo-d commented Sep 26, 2023

The kick off call for the White House RFI has been scheduled for Thursday 28th Sept at 2pm BST / 9am EST.
The Zoom details can be found below.

Join Zoom Meeting
https://zoom.us/j/98254617376?pwd=aGV6VzZQOTg3MHptY0tkZHRVSUsxUT09

Meeting ID: 982 5461 7376
Passcode: 305874
Find your local number: https://zoom.us/u/acPjHdY2IO

@speedwater
Copy link
Contributor

I think the response above is fine within the narrow context of our agenda with CCC.

@mcleo-d
Copy link
Member Author

mcleo-d commented Oct 2, 2023
edited
Loading

Sep 28, 2023 Meeting Notes

This was referenced Oct 2, 2023
Closed
Closed
Closed
Closed
Closed
@mcleo-d
Copy link
Member Author

mcleo-d commented Nov 9, 2023

The FINOS response to the White House RFI : Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations was posted to https://www.regulations.gov/ on 31st October 2023 and can be viewed below.

@mcleo-d mcleo-d closed this as completed Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All Working Groups Work related to project wide scope help wanted Extra attention is needed important Items marked as important
Projects
FINOS Common Cloud Controls - Project Kanban
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vicenteherrera @mcleo-d @speedwater