Joint Comment Letter from Financial Sector Services Coordinating Council (FSSCC) to National Institute of Standards and Technology (NIST) Regarding the Proposed Cybersecurity Framework

Dear Mr. Sedgewick:
The Financial Services Sector Coordinating Council1 (FSSCC) appreciates the opportunity to provide comments in response to the National Institute of Standards and Technology Request for Comments on the Preliminary Cybersecurity Framework (“Framework”).
FSSCC submits this response to demonstrate the deep commitment of the financial services sector to the public/private partnership envisioned by the Framework. We recognize that developing a Framework that applies to those critical infrastructure institutions in each sector requires a comprehensive discussion. We commend NIST for establishing a process that allows the private sector to provide input into developing the Framework. Each sector relies heavily on others for business functions. We must all work together to better secure our nation’s infrastructure.

Risk-Based Approach
Overall, the FSSCC supports the Framework’s use of a Capability Maturity Model Integration (CMMI) to encourage entities with critical infrastructure to analyze their current level of maturity and then work toward their next level of maturity using a gap analysis. This will enable entities of all maturity levels to leverage the Framework to strengthen their cybersecurity programs by establishing a guide for companies to assess and continuously improve their internal cybersecurity posture. This flexible and mature approach will both strengthen their cybersecurity program and align with business objectives.

Institutions with critical infrastructure must be able to implement the Framework in a risk-based, flexible, and costeffective manner to accommodate differences across sectors, as well as differences within each sector that adopts this voluntary framework. The FSSCC believes that, as intended, an organization can reduce its risk by adopting the Framework. However, senior leadership will need to be engaged in order to make decisions on where to increase their level of investment in either budgetary outlays or human capital. It is, therefore, essential that the Framework

To read the full Comment Letter, download the PDF.