The proposals define vulnerability testing as testing done "to determine what information may be discoverable through a reconnaissance analysis (which is deliberately left broadly defined) of those systems and what vulnerabilities are present on those systems."

Best practices for vulnerability testing include:

The proposals would mandate all covered parties to conduct vulnerability testing based on their own risk analysis but would require "covered DCMs" and all DCOs and SDRs to conduct these tests no less than quarterly. Two of these must be conducted by independent contractors. By dividing up testing between independent contractors and employees, the CFTC hopes to access vulnerabilities from both inside and outside perspectives.

Covered DCMs are DCMs whose annual total trading volume accounts for at least five percent of the annual total trading volume of all DCMs regulated by the CFTC.

Penetration testing looks to "subject the system to real-world attacks by testing personnel, in order to identify both the extent to which an attacker could compromise the system before the organization detects and counters the attack, and the effectiveness of the organization's response mechanisms."

Best practices for penetration testing include:

The proposals would mandate all covered parties to conduct penetration testing based on their own risk analysis but would require covered DCMs, DCOs, and SDRs to conduct both internal and external tests no less than annually. Independent contractors would be required for at least one mandated external test.

Controls testing refers to an assessment of an entity's safeguard-related controls designed to protect its reliance on its automated systems and the security integrity of its data and information. This includes testing of technical, operational, and management controls.

Best practices for controls testing call for regular, ongoing testing of all of an entity's safeguard-related controls. The proposals would mandate all covered parties to conduct penetration testing based on their own risk analysis but would require covered DCMs, DCOs, and SDRs to test each component of their controls safeguards no less than every two years. The proposals allow for both independent contractors or employees to conduct controls testing (regardless of whether the entity is a covered DCM, DCO, or SDR).

SIRP testing is designed to provide an entity with the ability to discover, contain, eliminate, and recover from a cyber attack. Ideally, a SIRP should include both a cyber SIRP and physical SIRP (perhaps as part of the entity's business continuity plan).

The proposals would mandate that all covered parties conduct SIRP testing based on their own risk analysis but would require covered DCMs and all DCOs and SDRs to conduct SIRP testing no less than annually. The proposals do not mandate that covered DCMs, DCOs, or SDRs (in addition to all other covered parties) use independent contractors for SIRP testing.

ETRAs refer to written assessments of threats in the context of mitigating controls. The purpose of ETRA assessments would be to identify:

Best practices for ETRA testing would include regular testing for all covered parties. The proposal would mandate that all covered DCMs, DCOs, and SDRs conduct ETRA testing no less than annually. The proposal would allow covered parties to use either independent contractors or employees to conduct testing.

Minimum frequency and independent contractor testing requirements would apply to all SDRs, DCOs, and covered DCMs.

The exchange proposal includes an advanced notice of proposed rulemaking (ANPR) that would subject systematically important SEFs (covered SEFs) to the same minimum frequency and independent contractor requirements as are proposed for covered DCMs, DCOs, and SDRs.

Covered SEFs would include any SEF with annual total notional value of swaps traded on or pursuant to its rules equal to ten percent or more of the annual total notional value of all swaps traded on or pursuant to the rules of all SEFs regulated by the CFTC.

For more information on the proposals, see the CFTC's fact sheet and Q&A.

Public comment on the proposals are due on February 22, 2016. Comments should be addressed to Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Comments also may be submitted via the Federal eRulemaking Portal at www.regulations.gov. Comments on the Exchange Proposal should be identified by RIN number 3038-AE30 and comments on the Clearing Proposal should be identified by RIN number 3038-AE29.