Recommended Framework for Security Assessment

[CenterforInternetSecurity]

As mentioned in the previous comments, it is recommended that the new acquisition policy offer guidance that is harmonized with other existing government security assessment frameworks and avoid placing undue burden on companies by imposing additional, duplicative, or cost prohibitive requirements. To minimize unnecessary impact to contractors, recommend for Section 3, the Critical Security Controls as a possible framework for assessing the cyber security posture of organizations handling CUI.

The Critical Controls are a community-supported and developed, industry-friendly approach to cybersecurity improvement. The Critical Controls are demonstrably consistent with the requirements of several existing assessment frameworks such as FISMA and NIST 800-53, referenced in the DoD Cloud Computing Security Requirements Guide (SRG), and specifically called out in the NIST Cybersecurity Framework. Formerly known as the SANS Top 20 Critical Controls, they are now maintained by the Center for Internet Security. The Controls have been adopted by organizations across the world as a way to prioritize the most important set of actions needed to protect against 85% of the most pervasive cyber attacks. The Critical Controls offer a private sector, vendor-neutral, open alternative to a formal government document and process for the proposed policy. For more information about the Critical Controls visit http://www.cisecurity.org/critical-controls.cfm or email [email protected]. Thank you for the opportunity to comment.