On the recordApril 16, 2018
Mr. Speaker, today the National Institute of Standards and Technology, or NIST, published its first major update to its heralded cybersecurity framework. Since its release 4 years ago, countless organizations have used the framework to voluntarily assess their cybersecurity risk posture, identify gaps, and implement best practices. This update adds timely guidance about managing supply chain cybersecurity risks, like those Russia exploited to damaging effect with the NotPetya malware. Since President Obama first directed its creation, NIST has employed a collaborative approach to developing the framework with diverse stakeholders from government, private industry, academia, and civil society. The revision process reflects this public-private partnership, and I thank the NIST team for their hard work drafting this update. I firmly believe that cybersecurity is not just an IT problem, and the framework's approach reflects a broader risk-based decisionmaking process. However, an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily, and I look forward to continuing my work in this Chamber to deepen that understanding. ____________________
