In May, I shared Microsoft’s perspective on the U.S. government’s effort to identify incentives that could promote adoption of the Cybersecurity Framework under development at the National Institute of Standards and Technology (NIST).  In my post, I described several types of incentives that would be particularly impactful, including: 

  • Leveraging the procurement capability of the federal government;
  • Increasing government leadership to drive a more harmonized approaches to cybersecurity on a global scale; and
  • Establishing appropriately-scoped limitations on liability from cybersecurity incidents for organizations that adopt the Cybersecurity Framework.

I was pleased to read an update from the White House regarding the interagency process to determine the right incentives.  In a post on the White House blog, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel provided a summary of the White House’s initial views on incentives, based upon reports from the Departments of Commerce, Homeland Security, and Treasury.  This statement and the accompanying agency reports demonstrate that meaningful progress is underway towards a final set of incentives.

Notably, the White House statement identifies eight initial areas of potential incentives that were drawn from the agencies’ reports.  The initial list is encouraging.  For example, the White House’s acknowledgement of liability limitation as a potential incentive is consistent with our comments to the Department of Commerce about incentives.  However, as the White House notes, Congressional action will be needed to realize some of the potential incentives.

We look forward to continued engagement with both public and private sector stakeholders on implementation of the Executive Order on critical infrastructure cybersecurity, and especially the White House-led effort to determine incentives.

Paul Nicholas
Senior Director, Global Security Strategy
Microsoft Corporation