TechNet will promote the adoption and use of voluntary, flexible, risk management-based approaches to managing cybersecurity risk. TechNet supports the following principles and objectives:
- Alignment of policies, legislation, regulations, and guidance with flexible, stakeholder-driven, risk management-based approaches to cybersecurity, including:
- Promotion of voluntary industry adoption of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), including any updates to the Framework;
- Further guidance for and oversight of Framework adoption by federal agencies, per Executive Order 13800; and promotion of Framework-like approaches (flexible, stakeholder-driven, risk management-based) with international partners;
- A comprehensive risk-based cybersecurity strategy that increases the security and resiliency of all networks, and prepares for and mitigates cyberattacks through the voluntary coordination of industry and government;
- Market-based incentives to encourage companies to actively manage risks in accordance with industry standards and practices;
- Improved accountability, reporting requirements, and uniform standards for federal agencies as they comply with cybersecurity laws, regulations, and executive actions;
- Government-led and public/private initiatives that support improving the cyber defense capabilities of small businesses.
- Government participation, working through NIST, in the continued development of an international, consensus-driven Internet of Things (IoT) security framework for consumer, industrial, and critical infrastructure. This may involve the development of a risk management approach similar to the NIST framework that focuses on IoT security and incorporates security into initial designs that can be built upon, depending on the functionality and risk associated with the device.
- Modernizing Government Technology (MGT) Act funding and implementation that focuses on driving down cybersecurity risk. Agencies must report on existing networks that cannot be fixed and must be replaced.
- Implementation of the Cybersecurity Information Sharing Act of 2015 that facilitates a risk-based strategy by promoting the sharing of actionable cyberthreat information from government to industry, from industry to government, and among private companies. In developing the policies and procedures to implement the act’s information sharing requirements, the administration should protect the privacy of data. TechNet members are encouraged to participate in the program as it is implemented.
- The U.S. government sharing cyberthreat information with the private sector in a timely and actionable manner, and dedicating the necessary resources to achieve this goal. The current process does not provide companies with actionable, accurate, and timely information. Specifically, the federal government should work to minimize the average amount of time that a threat actor remains undetected once they have gained their initial exploit or foothold. To this end, the federal government should track and publish its own performance metrics, including the amount of time that occurs from (1) breach-to-detection, (2) detection-to-response, and (3) detection-to-sharing of the cyberthreat indicators.
- Providing industry with appropriate liability protections when participating in government cybersecurity sharing programs.
- Broader infrastructure proposals and legislation that include provisions to modernize and strengthen cybersecurity frameworks and defenses.
- No federal government mandates on the design of products and services. The federal government should be particularly careful to avoid requirements that would weaken the security of technology used to protect sensitive personal information and critical systems.
- Cybersecurity efforts at the federal and state levels to protect the integrity of election systems and related IT infrastructure.
- Education, workforce, and immigration policies and initiatives that help the U.S. develop and retain the world’s best cyber workforce.