finos / common-cloud-controls

FINOS Common Cloud Controls
https://www.finos.org/common-cloud-controls-project
Other
37 stars 40 forks source link

White House RFI : Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations #9

Closed mcleo-d closed 1 year ago

mcleo-d commented 1 year ago

Description

FINOS requests that Common Cloud Controls leads the response to the White House RFI highlighted in this issue and in the attached PDF. Please feedback the project's appetite in the comments so the response can be planned.

Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations

The White House Office of the National Cyber Director (ONCD) is announcing a request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity. The RFI builds on the commitment the Administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” The RFI advances one of the 69 initiatives that were released last week as part of the National Cybersecurity Strategy Implementation Plan.

When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers. Duplicative regulation leads to companies focusing more on compliance than on security, which results in their passing higher costs on to customers, working families, and state, local, Tribal, and territorial governments. Harmonizing baseline regulatory requirements can therefore produce better security outcomes at lower costs.

ONCD is seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements. Unlike many other fields, at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors. While regulated sectors may engage in distinct activities, they often use the same software, hardware, and information and communications technology and services to enable interconnectivity or automation. The technological commonalities also mean that baseline risk mitigation measures are likely to be common among entities and sectors.

ONCD-Reg-Harm-RFI-Final-July-19.2023.pdf

GitHub Issues for Questions 3, 4 and 7 Response

Shared Google Doc for White House RFI Response

Please find the shared Google Doc for White House RFI response below ... -https://docs.google.com/document/d/1qIgjIVQtQgNd-DdhzVia_VKhWa_gsV5maPDQG-KzyXI/edit?usp=sharing

vicenteherrera commented 1 year ago

Count with me: Vicente Herrera (Control Plane)

mcleo-d commented 1 year ago

Below is a rough outline of a FINOS response to the White House RFI that will form the basis of the upcoming kick off meeting on Thursday 28th September.

Introduction (1-2 paragraphs)

  1. About FINOS – “The Fintech Open Source Foundation (FINOS) is an independent, nonprofit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. FINOS members include… ”

  2. About the Common Cloud Controls (CCC) – “Originally proposed by Citi, FINOS is leading an industry effort to describe consistent controls for compliant public cloud deployments in the financial services sector.”

  3. Response Contents – “Our response to the RFI is limited to detailing how the CCC fosters harmonization across CSPs, which will help meet many of the goals of the RFI, including reducing inconsistencies and redundancies. By shifting some of the responsibility away from government and onto the industry – CSPs and their critical-sector clients – the CCC will reduce the risk of regulatory conflict, overlap and contradiction. Our response is relevant to questions 3, 4, and 7 within the RFI…”

Common Cloud Controls

  1. Recognize the importance of cybersecurity-related standards and third-party frameworks (e.g., MITRE Attack Framework, NIST CSF) (Questions 3 & 4)

  2. Why controls for CSPs? – “While various standards and frameworks exist for cybersecurity, there is currently a lack of common controls for CSPs. CSPs have different definitions and structures for their control-related offerings, creating fragmentation and complexity in shifting workloads from one CSP to another. The CCC could help address concentration risk and enhance cyber resilience through consistency…” (Questions 3c & 7)

  3. Challenges the CCC will address – concentration risk, inconsistent cyber controls, regulatory fragmentation, etc.

  4. Ask – “We encourage regulators to endorse the industry’s adoption of the CCC. Converging around a set of common standards for CSPs would help regulators avoid the need to issue overly-detailed rules, which would further risk contradiction or overlap between regulatory requirements.”

Conclusion

  1. Thanks – “We appreciate the opportunity to respond…”
mcleo-d commented 1 year ago

The kick off call for the White House RFI has been scheduled for Thursday 28th Sept at 2pm BST / 9am EST. The Zoom details can be found below.

Join Zoom Meeting https://zoom.us/j/98254617376?pwd=aGV6VzZQOTg3MHptY0tkZHRVSUsxUT09

Meeting ID: 982 5461 7376 Passcode: 305874 Find your local number: https://zoom.us/u/acPjHdY2IO

speedwater commented 1 year ago

I think the response above is fine within the narrow context of our agenda with CCC.

mcleo-d commented 1 year ago

Sep 28, 2023 Meeting Notes

mcleo-d commented 1 year ago

The FINOS response to the White House RFI : Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations was posted to https://www.regulations.gov/ on 31st October 2023 and can be viewed below.