In July of this year, the Office of the National Cyber Director (ONCD) stated in its release of an RFI on regulatory harmonization that: “When cybersecurity regulations of the same underlying technology are inconsistent or contradictory—or where they are duplicative but enforced differently by different regulators … consumers pay more, and our national security suffers.” This is an understatement. SecurityScorecard agrees and was happy to share our comments with ONCD today.
Worldwide adoption of cyber regulations
Cybersecurity is one of the greatest threats to the resilience and reliability of America’s critical infrastructure. Last year saw the implementation of the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP). This year, the White House rolled out its National Cybersecurity Strategy, which called for “fundamental changes” to the digital ecosystem to shift the advantage to defenders using data-driven approaches and metrics. Meanwhile, the U.S. Securities and Exchange Commission (SEC) and the European Union have adopted new regulations aimed at increasing the resilience of private companies and the financial sector.
Regulations are needed before a crisis strikes, to level the playing field, and to enable healthy competition while simultaneously improving cybersecurity and operational resilience. Too often, however, regulatory requirements can lead to inadequate or inconsistent outcomes when it comes to the cybersecurity of critical infrastructure. Harmonization of requirements and reporting against metrics that matter can alleviate these challenges.
The imperative for cybersecurity metrics
This brings us to the Office of the National Cyber Director’s (ONCD) request for information on harmonizing cybersecurity regulations in critical sectors. In an effort to support and amplify this request, SecurityScorecard stresses the importance for sectoral risk management agencies (SRMAs) to utilize continuous risk metrics in order to measure the overall resilience of the sector, spot trends in risk vulnerability and risk mitigation, and evaluate the efficacy of regulatory requirements using objective external factors that can be independently verified. Additionally, embracing continuous metrics across multiple sectors would help to facilitate the identification of problems and best practices that transcend individual sectors and that may therefore be appropriate targets for regulatory harmonization.
Security ratings are a recognized, trusted source of objective, data-driven metrics for cybersecurity performance. Their use today by select Sector Risk Management Agencies in the federal government to measure and communicate progress against regulatory requirements provides a strong, repeatable capability that we believe can facilitate greater transparency and evidence-based policymaking on cyber matters government-wide.
In 2021, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told Congress, “I think it’s hard to say you’ve reduced risk unless you know how to measure it.” SecurityScorecard agrees with this statement wholeheartedly. In the end, you can’t manage what you can’t measure, and you can’t defend what you can’t see.
Increasing cyber resilience in the supply chain
Third-party cyber risk is now one of the biggest threats today, with many of the recent major breaches (SolarWinds, Log4j, and MOVEit) resulting from a single vulnerability. SecurityScorecard’s joint research with the Cyentia Institute found that 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. Knowing this, organizations are aware that they can no longer rely on static analyses of their cybersecurity environments.
Instead, they must continuously assess cybersecurity risk, including across their entire supply chain and vendor ecosystem, and produce quantitative metrics to measure that dynamic risk in a standardized, actionable way. This is what Security Ratings deliver and we believe this approach can undergird sensible and measurable regulatory requirements to make it easier to evaluate and communicate the impact regulations have on cyber resilience.
SecurityScorecard’s A-F security ratings platform offers rigorous, free cybersecurity self-assessments to customers, and cost-effective assessments for their third-party vendors and suppliers. This is done without going behind any firewalls, and only collecting public-facing data. By offering an “outside-in” view of an organization’s cybersecurity posture, SecurityScorecard gives organizations the ability to see what a hacker sees. This identifies weaknesses not only in an organization’s own cyber environment, but illuminates risk throughout its supply chain as well.
While a high Security Rating does not make an organization immune from cyber risk, it does lower the chances of a breach. To that end, a lower score means that an organization has not sufficiently hardened its infrastructure against malicious actors, and is therefore more likely to suffer a breach.
In the aftermath of ransomware attacks on the transportation sector, the TSA began using our ratings to measure and validate the security posture of critical infrastructure and reporting on the hygiene of these entities using straightforward A to F ratings — which a National Security Advisor for Cybersecurity recently called “game-changing.”
We believe that this recent partnership with the TSA built on our FedRAMP Ready platform can serve as a blueprint for other Sector Risk Management Agencies to seamlessly measure and communicate how regulatory requirements are being implemented and advancing cyber resilience.
Key benefits of the SecurityScorecard Platform for federal agencies include:
- Operationalize third-party cyber risk management: Out-of-the-box compatibility that agencies can use to operationalize third-party cyber risk management across critical infrastructure.
- Efficient risk prioritization: Federal agencies can prioritize risks on a large scale, providing actionable insights and enhancing operational awareness.
- Enhance collaboration: The platform promotes operational collaboration, facilitating the delivery of insights and intelligence.
- Dynamic risk insights: Actionable insights into risk associated with key sectors, empowering agencies to respond proactively.
- Improve threat awareness: Federal agencies can drive awareness of threat exposure with operational stakeholders and partners.
- Streamline collaboration: Improve collaboration across the entire federal cybersecurity ecosystem.
Employing the same metrics across multiple critical sectors would help to facilitate the identification of vulnerabilities and improve the cyber resilience of our nation’s critical infrastructure. SecurityScorecard stands ready to support the Office of the National Cyber Director (ONCD) in its efforts to strengthen our national security.