Skip to content
This repository has been archived by the owner on Mar 3, 2022. It is now read-only.

Recommended Framework for Security Assessment #62

Open
CenterforInternetSecurity opened this issue Sep 10, 2015 · 0 comments
Open

Recommended Framework for Security Assessment #62

CenterforInternetSecurity opened this issue Sep 10, 2015 · 0 comments

Comments

@CenterforInternetSecurity

As mentioned in the previous comments, it is recommended that the new acquisition policy offer guidance that is harmonized with other existing government security assessment frameworks and avoid placing undue burden on companies by imposing additional, duplicative, or cost prohibitive requirements. To minimize unnecessary impact to contractors, recommend for Section 3, the Critical Security Controls as a possible framework for assessing the cyber security posture of organizations handling CUI.

The Critical Controls are a community-supported and developed, industry-friendly approach to cybersecurity improvement. The Critical Controls are demonstrably consistent with the requirements of several existing assessment frameworks such as FISMA and NIST 800-53, referenced in the DoD Cloud Computing Security Requirements Guide (SRG), and specifically called out in the NIST Cybersecurity Framework. Formerly known as the SANS Top 20 Critical Controls, they are now maintained by the Center for Internet Security. The Controls have been adopted by organizations across the world as a way to prioritize the most important set of actions needed to protect against 85% of the most pervasive cyber attacks. The Critical Controls offer a private sector, vendor-neutral, open alternative to a formal government document and process for the proposed policy. For more information about the Critical Controls visit http://www.cisecurity.org/critical-controls.cfm or email [email protected]. Thank you for the opportunity to comment.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant