Trusted Integration Submits Responses to DHS's RFI on Cyber Security Solutions for SMBs

Alexandria, VA - Trusted Integration (TI www.trustedintegration.com), a leading provider of Governance, Risk and Compliance (GRC) management solutions for government and commercial organizations, submitted its responses to Department of Homeland Security (DHS)'s RFI requesting for Cyber Security Solutions for SMBs (RFI20140220) to promote the adoption of NIST Cybersecurity Framework (CSF) for Small and Medium Businesses.

Trusted Integration applauds DHS's support for SMBs as they are the key drivers of innovations and opportunities. However, SMBs have unique constraints including limited staff and financial budget for technology solutions, therefore, any cybersecurity solutions or programs targeting this group must be affordable, automated, simple to use, while supporting the majority of the requirements of CSF.

"Automated cybersecurity solutions for SMBs may not be enough. SMBs require tangible financial outcomes either through top line revenue growth, reduce operating costs, or tax incentives. The government actions must support facilitating rulemaking, policies and financial incentives to support innovation and development of ongoing security solutions for SMBs", said Tri Phan, Managing Director of Trusted Integration.

3.1 Is there a viable marketplace for providing cyber security services at a low, affordable price for SMBs in support of the NIST Cybersecurity Framework?

There are several viable options available to SMBs. SMBs can leverage the use of commercial governance, risk and compliance (GRC) tools and open source technologies, such as TrustedAgent GRC (TA), delivered either as cloud-based or in-house offerings. GRC solutions, out-of-the-box, can manage several key activities of CSF including governance, inventory and assets, inventory/asset attributes, policy and procedure management, incident management, breach notification, and risk management. When integrated to open source platforms for vulnerability assessment (VA) and SIEM such as OpenVAS and OSSIM SIEM, SMBs can extend capabilities to meet vulnerability and threat management without adding any significant cost.

3.2 Would NIST Cybersecurity Framework adoption by an SMB make them a more attractive customer and potentially eligible for more advantageous pricing?

CSF adoption enables SMBs to enhance cybersecurity posture and standing to SMBs' customers and industry peers. SMBs benefit from lower exposure to financial, operational and reputational risks, lower cyberinsurance premiums and deductibles, and improved cost and operating efficiencies. All of the above factors drive a reduction to the overall cost, improve brand recognition, and, therefore, increase the demand for the products and services provided by the SMBs to their customers.

3.3 How can the government help reinforce value of affordable cybersecurity solutions to SMBs?

The government should model the CSF Program similar to CMS's EHR Incentive Programs to provide financial incentives for the 'meaningful use' of certified EHR technology to improve patient care, or EPA's Energy Star program to promote climate protection and energy savings through third-party product certification requirements and testing.

In the proposed CSF Program, SMBs are certified through conformity assessment as having embraced the practices of CSF. The verification confirms the effectiveness of both CSF-supporting processes and cybersecurity solutions. The vetting of CSF-supporting solutions must be transparent, and be managed by an independent third-party and without any further cost burdens to the technology providers to promote adoption of low-cost solutions. Participated SMBs gain reduction in cyberinsurance premiums, tiered appropriately to the cyber-practice maturity of the SMBs, in form of tax incentives and other cyber-related benefits.

Until claim data for cyberinsurance market are adequate to reasonably estimate premiums, both premiums and deductibles remain to be significantly large, and possibly out of reach for the smaller SMBs. For a limited time, the government should position itself as Reinsurer for the insurers of the SMBs of the CSF Program. This approach would further reduce premiums/deductibles, and increase the supply of competing insurers for the benefit of SMBs.

The government can further promote CSF adoption by creating safe harbors or other limitations on cybersecurity liability contingent on participation in the proposed CSF Program. This action would decrease the cost of liability component of the cyberinsurance, help to decrease the overall premium, and promote the demand for CSF adoption and cyberinsurance.

3.4 What security products and/or services would you envision being able to offer and how might those be communicated in terms of the NIST Cybersecurity Framework's core functions?

While there is no single solution that supports all the requirements of CSF, our analysis indicated that potentially as much as 70% of the CSF requirements may be supported through the combination of solutions, including those integrated with TrustedAgent GRC:

Identify

TrustedAgent (TA) provides a centralized platform, deployed in-house or as a cloud service, to manage inventory of entities, their assets, processes and relationship. Provide a common descriptive framework to describe governance, ownership, key attributes of cybersecurity entities, and the relationship to the SMBs’ goal and objective, and any identified and remediated risks. Enables prioritizing/categorizing entities based on risk types or cybersecurity maturity level. Automates and integrates governance, assessment, and risk management with a single application.

Protect

TA supports several regulations and industry standards and the following risk management frameworks including, NIST RMF, CSF, COBIT, ISO 27001 and others. Leveraging policy management, policies and procedures can be developed and distributed to end-users. User adherence and audits may also be maintained.

Detect

TA provides the capabilities to detect and characterize adverse events through its incident management module, maintain security/situational awareness by leveraging vulnerability assessment tools (integrated and imported), determine if risk threshold has been surpassed, and continuously monitor for threats and effectiveness of controls through annual assessment and continuous monitoring modules (periodic and on-demand VA scanning, key control retesting). Detected risks can be associated to the impacted assets as defined for the inventory in the Identify function. TA also enables entities to maintain key personnel, contingency, response and recovery plans, and monitoring/response strategies as part of their continuous monitoring effort.

Response

TA automates incident and risk identify/response management to address security and privacy incidents, facilitates impact analysis to derive risk level, manages ongoing remediation, and supports reporting/sharing incident reports to regulatory/industry bodies. Risks identified are managed as corrective actions along with milestones assignable to responsible people. Dashboard and reports ensure visibility and accountability to key metrics and risk remediation activities across the organization.

Recover

TA supports memo publishing to communicate lessons learned to personnel across the organization. Centrally managed policies and procedures can also be updated to incorporate or update activities from key learning points and disseminate to organizational staff. Similarly, control requirements and best practices can also be updated using content authoring module enabling adoption of revised implementation standards and instructions incorporating response updates.

3.5 How would you characterize SMBs for the purpose of identifying applicable services, eligible customers, etc.?

SMBs (both buyers and solution providers) participating in the CSF Program should be characterized based on the number of employees, the annual revenues reported, and the industry/product/services provided by the SMBs. SMBs with a role in critical infrastructure products and services should be the initial focus of DHS which gradually inclusion of other types of SMBs as the CSF program expands.

3.6 Does DHS/government have a role in helping establish the guidelines for capability providers to determine what adoption of the NIST Cybersecurity Framework is?

DHS/Government is best-served in leadership roles by facilitating rule-making, policies, and incentives to enable adoption of CSF. The details of the guidelines for capability providers should be managed by NIST or independent, cross-sector industry groups. Cares should be taken to ensure that any developed guidelines/standards are freely available for use and derive third-party works without limitation to promote innovation and adoption by the providers.

3.7 Are there technical or policy impediments that inhibit the marketplace from providing cyber security solutions at a low, affordable price for SMBs?

Some SMBs may be subjected to existing regulations (e.g., HIPAA, FFIEC, PCI, etc.) which stipulate more granularly defined requirements. Supporting both sets of regulations or standards may add un-necessary burdens for SMBs. The government should accept alternate implementation under existing regulation as equivalent to CSF, and require the SMBs to address only the differences.

3.8 Are there ways in which economies of scale could be used to make a market for SMBs cyber security solutions more attractive and financially viable for both buyers and sellers? If so, how could these economies of scale best be fostered?

Economies of scale for cybersecurity solutions may be obtained by leveraging the solutions as cloud-based offerings. This approach spreads the costs of hardware and software, operational and ongoing maintenance, and labor of supporting personnel for the sellers across multiple customers, thereby lowering the cost for the buyers.

Promote the use of cyber-related open source software and commercial solutions from other SMBs. These technologies are reasonably affordable due to either zero to low cost of acquisition.

For the SMB providers (e.g., sellers), the government should consider tax credits and rules that offer favorable capital expenditures to support buildup of the infrastructures required to deliver these capabilities to SMBs. To limit market forces from larger enterprises (i.e., not meeting the requirements/profile of SMBs) that potentially impact innovation and growth of SMBs, the government should also consider a period of exclusion on their participation in the proposed CSF Program, and the resulting benefits and incentives outlined in question 3.3 and 3.8.

 

About Trusted Integration, Inc.

Since 2001, Trusted Integration has been a leader in providing Governance, Risk and Compliance (GRC) management solutions for government and commercial organizations. TrustedAgent is an adaptive, scalable GRC solution for organizations to standardize business processes, reduce complexities, and lower costs in the management, analysis, and remediation of risks across the enterprise to meet the challenging, complex, and ever-changing requirements of PCI, SOX, HIPAA, NERC, ISO, COBIT, FISMA, and others. For more information, visit us at www.trustedintegration.com

Scroll To Top