1 New Orchard Road

Armonk, NY 10504-1722
April 12, 2013
Ms. Diane Honeycutt
National Institute for Standards and Technoloy
100 !ureau Dri"e, Stop #$30
%aithers&ur, MD 20#$$
'IA (MAI)* cy&erfra+e,or-.nist.o"
/e* De"elopin a 0ra+e,or- to I+pro"e 1ritical Infrastructure 1y&ersecurity /0I
0ederal /eister Doc-et 2* Doc-et Nu+&er 13020#11$3311$301
To 4ho+ It May 1oncern*
I!M appreciates the opportunity to respond to the National Institute of Standards and Technoloy
/e5uest for Infor+ation 6/0I7 on Developing a Framework to Improve Critical Infrastructure
Cybersecurity, as ,ell as the onoin colla&oration &et,een o"ern+ent and sta-eholders to
address cy&ersecurity threats to our nation8s +ost critical assets.
Securin lare enterprises aainst cy&ersecurity threats is a sinificant underta-in and one that
I!M understands first hand. Today, I!M secures the operations and proprietary infor+ation for a
lo&ally interated enterprise spannin 190 countries, ,ith +ore than :00,000 e+ployees,
120,000 ser"ers, and a half3a3+illion net,or-ed de"ices. In addition to securin our o,n lo&al
operations, ,e pro"ide security ser"ices and solutions to "irtually e"ery sector of ;.S. and lo&al
&usinesses and o"ern+ents.
4e ha"e &een directly in"ol"ed in onoin discussions and enae+ents ,ith the ;.S.
o"ern+ent and other o"ern+ents and clients around the ,orld on the host of issues associated
,ith cy&erspace. These e<periences infor+ our co++ents for the 5uestions posed in the /0I.
I!M ,elco+es o"ern+ent3industry colla&oration in addressin cy&ersecurity ris-s and
co++ends the Ad+inistration for its outreach to the sta-eholder co++unity in de"elopin and
i+ple+entin the (<ecuti"e =rder. Ho,e"er, ,e counsel aainst a prescripti"e, reulatory
approach that does not ade5uately reflect the e"er3chanin nature of cy&erspace. !usinesses
+ust adapt their ris- +anae+ent strateies faster than any reulatory process can +o"e. Most
pro&le+atic, in our "ie,, ,ould &e a static, >chec-3the &o<? co+pliance rei+e that ,ould stifle
inno"ation &y encourain fir+s to in"est only in +eetin riid standards or practices that are
out+oded &efore they can e"en &e pu&lished. Not only ,ould this fail to pro"ide lastin
i+pro"e+ents to the nation8s collecti"e security, it could easily result in a false sense of security.
The current cy&er3threat en"iron+ent e"ol"es in real ti+e and re5uires a continuous, co+ple<,
and layered approach to security that "aries reatly across industry sectors. Many of the cy&er
issues faced &y our clients differ reatly, chane daily, and cannot &e sol"ed &y an e<ternally3
i+posed set of co++on responses. Therefore, I!M is particularly supporti"e of the pro"isions in
the (<ecuti"e =rder that re5uire the cy&ersecurity fra+e,or- to &e fle<i&le, repeata&le,
technoloy3neutral, and consistent ,ith "oluntary international consensus3&ased standards and
industry &est practices. 4e are hopeful that the full i+ple+entation of the (<ecuti"e =rder ,ill
produce positi"e outco+es for our nation8s security ,hile also pro+otin the technoloical
inno"ation needed to deter threats.
1
I. RISK MANAGEMENT PRACTICES
0or any society and in any era, the issue of security is ine<trica&ly &ound up ,ith the nature and
pace of chane. And today, the pace of chane @ in &usiness, politics, and technoloy @ is
acceleratin e<ponentially.
This is not +ild, episodic chaneA ,e are tal-in a&out >tur&ulent chane.? (cono+ic disruptions,
cy&er attac-s, political uphea"al, technoloy leapfros, and natural disasters can occur al+ost
,ithout ,arnin. ("en anticipated chane @ dri"en &y the a"aila&ility of ne, co+putin +odels
and ne, partnerships, +erers and ac5uisitions, or +anae+ent initiati"es @ re5uires leaders to
+a-e decisions in the face of uncertainty in order to ensure continuin econo+ic ro,th and
e<panded sta-eholder "alue.
In the face of this uncertainty, ho, do ,e anticipate and prepare for e"erythin that +iht
happenB The ans,er is* ,e can8t. Instead, ,e opti+iCe our oraniCations for adapta&ility. It is
those oraniCations that ha"e learned to e+&race chane @ and thri"e on it @ that ha"e endured
and prospered. They ha"e disco"ered that it is possi&le not only to adapt 5uic-ly to tur&ulent and
accelerated chane, &ut to turn that aility into a co+petiti"e strenth.
Ho, does the +anae+ent of security ris- factor into this faster, s+arter ,orldB 1learly, that
challene is a priority for e<ecuti"es ,ho cite*
1oncern a&out the security of technoloies li-e cloud co+putin and +o&ile de"ice
adoptionA
1oncern a&out the per"asi"eness of data and the a&ility to effecti"ely control its
appropriate use and pre"ent inad"ertent or deli&erate e<posureA
1oncern a&out the rapidly chanin threat en"iron+ent and confusion o"er ho, to
effecti"ely defend aainst increasinly sophisticated attac-ers usin increasinly
sophisticated toolsA
%ro,in concern around >&ad actor? in"ol"e+ent in product 6hard,are or soft,are7
de"elop+ent, ,hich has &een fueled &y incidences of counterfeit products, cy&er
espionae and other cy&er cri+e "ia insertion of +al,are and +alicious codeA
0rustration ,ith a patch,or- of costly and co+ple< co+pliance re5uire+ents* the a"erae
enterprise is su&Dect to hundreds of reulationsA
1oncern a&out ho, to deploy effecti"e security tools ,hile also respectin e+ployee
pri"acyA
1onfusion on approach @ see-in uidance a&out ,hat constitutes effecti"e security in a
particular industry and the cy&ersecurity ris- landscapeA
1oncern a&out o&tainin co+prehensi"e and up3to3date assistance in ac5uirin and
deployin effecti"e security +easuresA and
A eneral lac- of security s-ill ,ithin the technical population and a specific lac- of
e<perienced security professionals a"aila&le for hire.
As &oth an enterprise and leadin security product and ser"ice pro"ider, our e<perience indicates
that those oraniCations displayin +aturity in security ris- +anae+ent practices ha"e a
co++on characteristic* They ha"e effecti"ely alined &usiness stratey ,ith security priorities
throuh the leadership of a dedicated, e+po,ered, security e<ecuti"e ,ho +anaes enterprise
security throuh operation of a pra+atic, ris-3&ased security +anae+ent prora+.
Organizational Structure Elevation of the Ri! Manage"ent #unction
I!M &elie"es that no other sinle action ,ill do +ore to al"aniCe a ne, approach to security in an
oraniCation than the appoint+ent and e+po,er+ent of a 1hief Infor+ation Security =fficer
61IS=7 or 'ice3Eresident of Infor+ation Technoloy /is-. This e<ecuti"e +ust ha"e authority and
responsi&ility for esta&lishin and dri"in enterprise3,ide cy&ersecurity prora+s. /eulators,
2
o"ern+ents, in"estors, e+ployees, and custo+ers ,ill notice and appreciate the stron sinal a
1IS= appoint+ent sends a&out ho, seriously the oraniCation ta-es security and pri"acy.
To &e +ost effecti"e, I!M reco++ends that the 1IS= position report directly to the corporate
1(=, 1==, 1I=, or 10= and ha"e responsi&ility and authority for*
Identifyin and prioritiCin cy&ersecurity ris-sA
I+ple+entin and +onitorin the perfor+ance of &est practicesA
Settin and +aintainin cy&ersecurity policiesA
(nsurin proper &usiness and technical controls are i+ple+ented, tested, and -ept
currentA
Translatin security challenes and opportunities into &usiness lanuae for reular
consu+ption &y the 1(=, the !oard of Directors, and other -ey senior leadersA and
(nsurin onoin ,or-force education and a,areness of cy&ersecurity ris-s and &est
practices
Co"$rehenive Ri! Manage"ent I%M Securit& #ra"e'or!
4hile +any oraniCations around the ,orld ha"e i+ple+ented traditional ris- +anae+ent
prora+s to identify, assess, +itiate, +onitor, and continually re"ie, ris-s ,ithin the financial,
&usiness, health and safety, physical security, or operational ris- do+ains, typical approaches to
cy&ersecurity ris- +anae+ent are less +ature.
It is I!M8s perspecti"e that oraniCations need to +anae cy&ersecurity ris- ,ith a structured
operational ris- +anae+ent process that assesses &usiness and IT ris-s that include*
identifyin -ey threats and co+pliance +andatesA re"ie,in e<istin security ris-s and challenesA
i+ple+entin and enforcin security ris- +anae+ent processes and co++on control
fra+e,or-sA and e<ecutin incident +anae+ent processes ,hen crises occur. Security does
not stop at oraniCational &oundaries. Successful oraniCations need to i+ple+ent and enforce
security e<cellence across the e<tended enterprise &y includin -ey sta-eholders, custo+ers,
partners, and suppliers.
In order to operate cy&ersecurity as a true enterprise function, +anae+ent needs a fra+e,or-
,ithin ,hich to esta&lish current security prora+s, understand the conte<t and critical
interdependencies, and set priorities accordinly. Such a fra+e,or- is also used to identify aps,
+onitor proress, and achie"e other strateic security o&Decti"es, ,hile ensurin security
prora+s are fully coordinated ,ith an oraniCation8s core &usiness o&Decti"es and initiati"es.
I!M8s Security 0ra+e,or- is &ased on the principle that &etter security +anae+ent is achie"ed
,hen an entity is protected &y not Dust one layer or one co+ponent, &ut &y +ultiple, di"erse
+echanis+s architected to achie"e defense3in3depth. !uilt upon such internationally reconiCed
IT security standards as IS= 2F002*2009, IS= 19:0#, 1o!IT, and ITI), the I!M Security
0ra+e,or- co"ers areas such as trusted and consistent identities, authentication and access
control, infor+ation flo, control, encryption of sensiti"e data at3rest and in3transit, audit and
co+pliance, and net,or- resiliency.
0or a detailed description of the I!M Security 0ra+e,or- and !est Eractices, see
http*GG,,,.red&oo-s.i&+.co+Ga&stractsGs2:#100.ht+lB=pen
I!M reconiCes that security for critical infrastructure often oes &eyond the &usiness and IT
do+ains. 1on"entional enterprise IT security +easures +ust &e adapted and e<tended into the
industrial process control syste+s, ,hich in"ol"e a +yriad of proprietary interfaces, protocols, and
heteroeneous de"ices spread o"er a lare eoraphic and o"ernance space. =ne of today8s
&iest cy&ersecurity challenes is assurin that IT security controls are applied to these ne,ly
connected processes control net,or-s.
3
II. SPECI#IC IN()STR* PRACTICES Pro+uct an+ Service Aurance
The I!M de"elop+ent oraniCation is lo&al, ,ith +ore than H0 la&oratories and o"er :0,000
de"elopers ,or-in to produce and support a rane of hard,are, pre+ise soft,are, and soft,are
ser"ice used throuhout +aDor industries and critical infrastructure. The process used &y I!M,
-no,n as >Security (nineerin? is an onoin internal prora+ desined to ensure that I!M
desins, &uilds, and supports our products and ser"ices ,ith security in +ind.
0or I!M, the de"elop+ent of products and ser"ices is characteriCed &y +aturity of practices in
four pillars* 617 Structured De"elop+ent ErocessA 627 Secure (nineerin 0ra+e,or-A 637
1ontinuous I+pro"e+ent Iuality Manae+ent Erora+A and 6:7 a Supply 1hain Security
prora+. The Secure (nineerin 0ra+e,or- pillar is further defined &y a set of eiht essential
practices that are +ar-ers of success in the dri"e to &uild secure products. The essential
practices are* (ducation J A,areness, EroDect Elannin, /is- Assess+ent J Threat Modelin,
Security /e5uire+ents, Secure De"elop+ent, Security Testin, Security Docu+entation and
Security Incident /esponse. This 0ra+e,or- represents practices that can &e adopted in any
style of de"elop+ent proDect, fro+ ,aterfall, to iterati"e, to aile or De"G=ps.
="er the years, I!M sa, that enineerin processes as practiced &y "arious oraniCations and
"arious styles of de"elop+ent lac-ed the rior re5uired to pro"ide re5uisite security assurance.
As a result, I!M pu&lished the Secure (nineerin 0ra+e,or-.
1
The I!M Secure (nineerin
0ra+e,or- reflects &est practices used for I!M soft,are de"elop+ent and directs our
de"elop+ent tea+s to i"e proper attention to security durin the de"elop+ent lifecycle.
2
I!M
&elie"es that this 0ra+e,or- can act as a uideline for a ,ide rane of solutions and industry,
includin critical infrastructure.
I!M recei"es a continuous strea+ of re5uests for infor+ation on ho, these practices are
e<ecuted. In an effort to ensure transparency, I!M has &een ,or-in ,ith leadin "endors fro+
the infor+ation technoloy industry, ;.S. %o"ern+ent aencies, and the &usiness co++unity to
define open standards and an accreditation process applica&le to Infor+ation and
1o++unications Technoloy 6I1T7 "endors. A recent e<a+ple is the =pen Trusted Technoloy
Ero"ider Standard,
3
released &y the =pen %roup, ,hich descri&es re5uire+ents and practices in
four areas of infor+ation technoloy de"elop+ent* Eroduct De"elop+ent Erocess, Secure
(nineerin Erocess, Secure Supply 1hain, and Eroduct ("aluation. I!M &elie"es this type of
approach can help de+onstrate I1T "endor co++it+ent to assurance of products and ser"ices.
As for "ulnera&ility analysis for product and ser"ice de"elop+ent and deli"ery, I!M sees se"eral
continuin &usiness and technical challenes. In +any cases, these challenes are tracea&le to
the ac5uisition, correlation and disse+ination of "ulnera&ility infor+ation to a di"erse co++unity
that includes* sta-eholders, I1T De"elop+ent tea+s, and IT Ser"ice =perations tea+s. I!M
&elie"es a con"ered le<icon and ta<ono+y for /is-s, Threat 'ectors, Threats, 4ea-nesses,
'ulnera&ilities, Eolicies, and related concepts could ad"ance the state of the art in /is- Analysis
and Threat Modelin early in de"elop+ent proDects.
III. IN#ORMATION S,ARING AN( INCI(ENT RESPONSE
/is- +anae+ent fra+e,or-s, oraniCational structures, and de"elop+ent of secure products
are all -ey co+ponents for critical infrastructure security. Ho,e"er, capa&ilities to recei"e
actiona&le threat data and appropriately and effecti"ely respond to incidents are Dust as critical to
i+pro"e our o"erall security posture.
1 http://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf
2 http://www-03.ibm.com/security/secure-engineering/
3 http://www.opengroup.org/ottf/
4
Infor+ation Sharin
The lo&al econo+y has &een transfor+ed &y +assi"e a+ounts of data. Hundreds of &illions of
connected de"ices ha"e created an enor+ous, in"isi&le flo, of diital >1s? and >0s?Ka lo&al
usher of infor+ation. (nterprises and institutions are analyCin this flo, of strea+in,
unstructured data and actin upon those insihts in real ti+e. 1o+panies, co++unities, and
o"ern+ents around the ,orld are &einnin to harness the po,er of !i Data to +a-e s+arter
decisions, anticipate pro&le+s to resol"e the+ proacti"ely, and coordinate resources to operate
+ore effecti"ely. I!M sees this first hand, ,or-in ,ith clients to use data analytics to dri"e
intellience into e"ery aspect of their operations.
/eal ti+e data sharin and analytics are Dust as critical in the protection of infrastructure and
oraniCations aainst cy&er threats. In fact, the diital "enue for cy&er attac-sK,hich piy&ac-
on that flo, of >1s? and >0s? to deli"er their payloadK+a-es real ti+e data sharin all the +ore
i+portant. 4hile indi"idual entities each ha"e a line of "ision into their o,n net,or-s, analyCin
collecti"e pools of data ,ill reatly i+pro"e our chances at successfully connectin the dots to
pre"ent da+ain attac-s. 4ith cy&er e"ents occurrin at liht speed, it is clear that auto+ation
and real3ti+e sharin of rele"ant infor+ation need to &e &uilt into the process.
%o"ern+ent3industry partnerships are a -ey aspect of effecti"e infor+ation sharin. Industry
partners, li-e I!M, can host and supply state3of3the3art analytics platfor+s, as ,ell as share
anony+iCed data feeds captured fro+ onoin internal security acti"ities. %o"ern+ent can supply
its o,n uni5ue threat intellience and ser"e as a trusted hu& for coordinatin across industry
sectors. Ta-en toether, the colla&orati"e security intellience strea+s ,ill i+pro"e o"erall
a,areness of cy&er threats and &e used to ad"ise critical infrastructure and other entities as to
e+erin threats and reco++ended responses.
The (<ecuti"e =rder ta-es a nu+&er of positi"e steps to increase the "olu+e, ti+eliness, and
5uality of cy&er threat infor+ation shared &y the federal o"ern+ent ,ith the pri"ate sector. !ut
+ore needs to &e done &y 1onress to address leal i+pedi+ents and lia&ility ris-s that are
hinderin the ro&ust sharin of infor+ation &y pri"ate sector oraniCations. The sooner actiona&le
infor+ation a&out cy&ersecurity threats is shared, the faster it can &e used to help protect the
pu&lic. Today, ho,e"er, e"en the +ost security3conscientious &usinesses +ay hesitate to &rin
for,ard that infor+ation in a ti+ely ,ay due to lia&ility concerns, e"en ,hen they, too, are &ein
"icti+iCed. Treatin such oraniCations as allies rather than acco+plices ,ill help the+ step
for,ard @ in the interests of their clients, e+ployees, the nation, and the+sel"es.
Coor+inate+ C&-erecurit& Inci+ent Re$one
An effecti"e incident response capa&ility is another -ey ele+ent of any cy&ersecurity stratey.
4ithout an incident response plan, there is +ore ris- that a cy&er attac- ,ill cause reater
da+ae @ either &ecause the attac- is not disco"ered in ti+e or &ecause appropriate +itiation
actions are not follo,ed upon disco"ery. A centraliCed and ,ell3pu&liciCed incident reportin
+echanis+, as ,ell as ,ritten incident response procedures that define roles and responsi&ilities,
are central features. 0orensic and other in"estiati"e capa&ilities also should &e resourced, either
internally or ,ith a third party "endor. 0or e<a+ple, I!M has its o,n internal 1o+puter Security
Incident /esponse Tea+, and also pro"ides si+ilar ser"ices and e<pertise to its custo+ers
throuh I!M8s (+erency /esponse Ser"ice ;nit.
At a national le"el, incident response for sinificant cy&er e"ents affectin critical infrastructure ,ill
necessarily in"ol"e federal, state, and local o"ern+ent, as ,ell as non3o"ern+ent entities. It is
i+portant that incident response in such lare3scale e"ents is not ,eihed do,n &y co+ple<ity
and &ureaucracy, &ut rather is a&le to adapt ni+&ly to rapidly chanin e"ents and pro"ide ti+ely,
actiona&le infor+ation to rele"ant parties, includin pri"ate entities and state and local officials.

I.. C*%ERSEC)RIT* SKI//S0 E()CATION0 AN( A1ARENESS

S!ill (evelo$"ent
An ele+ent of society8s effecti"e response to the challenin of securin critical infrastructures,
the need for s-illed indi"iduals to &uild and +aintain security of -ey syste+s is a policy challene
that is part of the &roader challene facin +any countries 3 that of encourain +ore people to
et into science and enineerin fields.
The pro&le+ is one &oth of 5uantity and 5uality. Society at lare faces a shortae of the hihly
technically s-illed people re5uired to operate and support syste+s ,e ha"e already deployed. 4e
also face an e"en +ore sinificant shortae of people ,ho can desin secure syste+s, ,rite safe
co+puter code, and create e"er +ore sophisticated tools to pre"ent, detect, and +itiate da+ae
fro+ syste+ failures and +alicious acts. 4hile technoloy s-ills are clearly needed, it is also
e"ident that cy&ersecurity ,ill &enefit fro+ a +ulti3disciplinary approach, in"ol"in e<perts in
hu+an3co+puter interaction, psycholoy, and socioloy.
There are +any e<a+ples of the difference the riht s-ills and staffin can +a-e in the current
en"iron+ent 3 and this difference ,ill persist for a ,hile, e"en if auto+ation and a+e chanin
research result in si+pler ,ays to secure co+ple< syste+s.
There are four ele+ents of any stratey to deal ,ith this challene, all of ,hich can &e
accelerated &y o"ern+ental action*
Ero+otin and fundin the de"elop+ent of +ore riorous curricula in schools 6there is
sinificant acti"ity under,ay here, &ut there is a consensus that +ore is needed7A
Supportin the de"elop+ent and adoption of technically riorous professional
certificationsA
;sin a co+&ination of hirin, ac5uisition, and trainin resources to raise the le"el of
technical co+petence of those ,ho &uild, operate, and defend syste+sA and
Assurin, as ,ith other disciplines, li-e enineerin or +edicine, there is a career path to
re,ard and retain those ,ith hih3le"el technical s-ills, &oth in the ci"ilian ,or-force and
in the unifor+ed ser"ices.
Since I!M &elie"es that closin the security s-ills ap is a top priority, I!M has created a 1y&er
Security Inno"ation tea+ to ,or- ,ith uni"ersities on curricula de"elop+ent, colla&orati"e
research, and i+ple+entation of centers of e<cellence. Today, I!M is ,or-in ,ith +ore than
200 uni"ersities around the ,orld to &uild ne, prora+s and enhance e<istin cy&er and
infor+ation security acade+ic prora+s. /econiCin that the +aDority of the security curricula
that e<ists today is part of a 1o+puter Science and Infor+ation Syste+s Manae+ent trac-, I!M
is helpin uni"ersities &uild &roader, holistic prora+s that e<pand security to schools of &usiness,
pu&lic policy, and infor+atics. To &etter support ro,th +ar-et reions ,here faculty often lac-s
security s-ills, I!M de"eloped a :0 hour LTrain the TrainersL course in Security 0unda+entals.
E+ucation 2 A'arene
Today, the ;.S. ,or-force faces sinificant chanes in the &usiness and technoloy landscape.
The rapid spread of +o&ile, cloud, and social co+putin is dri"in lare and positi"e chanes in
ho, corporate IT functions, ho, &usinesses operate, ho, ,e ,or-, and ho, ,e li"e our li"es.
These ne, for+s of co+putin ena&le further lo&al interconnectedness and enerate e"en +ore
diitiCed data that can help indi"iduals and co+panies ain ne, insihts for &etter decision3
+a-in.
At the sa+e ti+e, the per"asi"eness and co+ple<ity of these ne, technoloies 3 and the fast3
paced, open, and interconnected en"iron+ent they help create 3 introduce ne, ris-s to
oraniCations and indi"iduals. 1onsider the potential for inad"ertent disclosure or loss of
confidential or sensiti"e infor+ation and the financial, reputation, or &rand da+ae that can result.
6
4hile the >consu+eriCation of IT? +a-es it possi&le for indi"iduals to connect and ,or- anyti+e,
any,here, and ,ith any de"ice, it also +a-es it +ore challenin for co+panies to +aintain the
security of their infrastructures ,hen potentially thousands of such de"ices connect to corporate
syste+s.
Across the co+pany, I!M is ta-in steps to reduce these ris-s. The co+pany8s co+prehensi"e
response includes technoloy, process, and policy +easures. And Dust as i+portant, our
response in"ol"es e+ployee education and a,areness.
It is our &elief that in order for any national cy&ersecurity effort to &e successful, ,e +ust educate
and train the future ,or-force as ,ell in reconiCin cy&er threats and practicin ood security.
In order to further this oal, I!M has created a series of educational assets taretin M312
students, teachers, and parents to help the+ learn the i+portance of security and ho, to protect
the+sel"es and others.
Internet Safety 1oachin*
https*GG,,,.i&+.co+Gi&+Gresponsi&ilityGinitiati"esGacti"ity-itsGinternetNsafetyG
1y&er !ullyin*
https*GG,,,.i&+.co+Gi&+Gresponsi&ilityGinitiati"esGacti"ity-itsGcy&erN&ullyinG
1ontrol Oour =nline Identity*
https*GG,,,.i&+.co+Gi&+Gresponsi&ilityGinitiati"esGacti"ity-itsGcontrolNidentityG
Safe social co+putin*
http*GG,,,.youtu&e.co+G,atchB"P%14!fF4MOyA
I!M has also created a series of assets ,hich is intended for use &y +ore sophisticated
audiences in the technoloy field. So+e e<a+ples include*
I!M Q30orce /esearch and De"elop+ent 3 one of the +ost reno,ned co++ercial
security research and de"elop+ent tea+s in the ,orld. This roup of security e<perts
researches and e"aluates "ulnera&ilities and security issues, de"elops assess+ent and
counter+easure technoloy and educates the pu&lic a&out e+erin Internet threats. T,ice
a year, I!M pu&lishes at no cost the Q30orce Trend and /is- reports to help the pu&lic at
lare stay ahead of e+erin threats.
Security (ssentials for 1I=s 3 a series of ten ,hitepapers to help 1I=s confront todayRs
top enterprise challenes
1enter for Ad"anced Insihts Studies includin the first 1IS= Study* http*GG,,,3
03.i&+.co+GpressGusGenGpressreleaseG3FH11.,ss
I!M appreciates the opportunity to pro"ide this input into the 1y&ersecurity 0ra+e,or- and loo-
for,ard to further colla&oration ,ith NIST and others at future ,or-shops and on other aspects of
the i+ple+entation of the (<ecuti"e =rder. 0or +ore infor+ation or 5uestions, please contact
1atherine 4e&&, I!M Security Syste+s, ,e&&ca.us.i&+.co+.
!