Ladies and Gentlemen:
The Bank Policy Institute (“BPI”), through its technology policy division known as BITS, appreciates the opportunity to comment on the National Institute of Standards and Technology’s (NIST) Discussion Draft of the Cybersecurity Framework 2.0 Core.
The Cybersecurity Framework (CSF) has supported both public and private sector efforts to inform and prioritize cyber risk management strategies. The CSF also serves as the foundation for the Cyber Risk Institute’s (CRI) Financial Sector Profile (Profile), which leverages the CSF’s controls, but also integrates regulatory requirements unique to the financial sector. Since the CSF was last updated in 2018, threat actors have increasingly targeted vulnerabilities in software supply chains to maximize the breadth and impact of their attacks. To ensure the CSF’s continued adaptability to evolving cyber risks, we recommend that NIST: (1) elevate supply chain risk management; and (2) align CSF version 2.0 with current cyber policies and requirements.
To read the full comment letter, please click here, or click on the download button below.
 The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans and are an engine for financial innovation and economic growth.
 BITS – Business, Innovation, Technology, and Security – is BPI’s technology policy division that provides an executive level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the nation’s financial sector.