Home For the Industry Public Policy Comments

Public Policy Comments

M3AAWG actively seeks to provide the necessary technical and strategic guidance to protect end-users’ online experience as government, Internet and public policy agencies worldwide develop new Internet policies and legislation. Working to reduce the spread of spam, bots and malware, M3AAWG has submitted comments on these proposals:

February 13, 2025

Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) General Input on the National Cyber Incident Response Plan (NCIRP) Update

  M3AAWG commends CISA’s efforts to enhance public-private collaboration in the updated National Cyber Incident Response Plan (NCIRP). We are pleased to offer recommendations based on our extensive experience in addressing cyber threats and improving incident response. In this document, we outline key areas that we believe will support and strengthen the NCIRP update. Some of these expand on aspects of the plan, while others look at issues that are not yet addressed.

December 12, 2024

Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) Comments on Product Security Bad Practices Guidance

M3AAWG has submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Request for Comment on Product Security Bad Practices Guidance. M3AAWG generally supports the stated goals of reducing customer risk by prioritizing security throughout the product development process and discouraging the use of bad security practices, particularly where critical infrastructure and national critical functions are potentially impacted. However, the document lacks clarity on its role and purpose in relation to other CISA publications and comments. The draft guidance does not specify who is responsible for taking action, what specific actions are required, and which level of the security management stack this document is meant to address. These elements should be clarified throughout. Merely avoiding bad practices will not be sufficient to meet security standards. Avoiding bad practices must be supplemented with industry-standard security best practices. In addition, since CISA has previously issued advice on many of the areas covered, it would be helpful to clarify the objectives of this new draft guidance, the context for its release, and how it modifies or complements past guidance. For example, if the intent is to reinforce or summarize existing recommendations, this should be stated explicitly. Conversely, if the document introduces new recommendations or updates, those changes should be clearly highlighted. 

June 11, 2024

Comments by the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) on the DHS “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements”

M3AAWG has submitted comments to the Department of Homeland Security's (DHS) Proposed Rulemaking on “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements”. M3AAWG recognizes the key role effective cyber incident reporting can have in addressing the impacts of cybersecurity incidents and combating online abuse. Cyber incident reporting can minimize consequences to victims, capture lessons learned, and improve cybersecurity nationwide, thereby increasing the likelihood that perpetrators will be held accountable. However, overly broad cyber incident reporting rules often do not, on balance, yield benefits commensurate with the significant costs those rules impose on both reporting entities and the government.

We generally support CISA’s efforts to craft a proposed rule that seeks to achieve the intended goals of the CIRCIA mandates. However, M3AAWG urges CISA to consider the following suggestions to clarify or modify its proposed rule, as detailed below. We note that our comments today are focused on certain critical areas of concern to our members and do not represent a comprehensive discussion of all issues covered in the expansive CIRCIA NPRM.

May 29, 2024

Comments of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) on NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile

M3AAWG has submitted Comments on the NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. With the growing importance of AI in society and the challenges of AI-related security and abuse issues, appropriate management of AI risk is becoming ever more pertinent, which is why M3AAWG welcomes the opportunity to submit comments.

Comments Submission Date: May 29, 2024
