The National Institute of Standards and Technology says it’s the “end of the beginning” for the drafting of the nation’s first-ever cybersecurity framework for protecting critical infrastructure. The agency says the document is essentially finished, and should be ready for release by its due date in a few weeks.
The framework came about through President Barack Obama’s February executive order on cybersecurity. It embodies the administration’s view that private sector infrastructure operators that are critical to the nation’s well-being should live up to a minimal level of cybersecurity practices.
Compliance with the framework is voluntary, but NIST says plenty of private-sector actors have stepped forward to help develop it; the agency counts 1,500 people who’ve attended workshops to help develop the framework this year and another 2,000 who’ve participated online.
Patrick Gallagher, the undersecretary of Commerce for standards and technology and NIST’s director, said the preliminary version of the framework should be out by mid-October. NIST will spend three months gathering public comments, and a version 1.0 is targeted for February.
“There are really two major moving parts to the framework,” he told the annual Billington Cybersecurity summit in Washington Wednesday. “One is a collection of existing standards and practices. You will recognize many of them. The other is a structure, a framework in the true sense of the word, that organizes those practices and provides really a set of tools that support the use and adoption of those standards and practices.”
Gallagher said it was clear from the outset that the framework needed to be flexible enough to be adopted by companies of any size or cyber capability.
The initial version will be organized around three structures:
One breaking down five different types of cyber defense activity;
One addressing various levels of cybersecurity maturity within an organization;
Finally, a set of “profiles” designed to let companies assess how capable they are at defending against cyber attacks and improve from there.
“It identifies a set of implementation tiers,” Gallagher said. “From an early- adopter, low maturity organization that may be very rule-based, to a highly-mature organization that has organized risk management at all levels. It’s analogous to a cultural approach, much like what we’ve seen in safety management and other areas. A key construct here is that there is no threat-proofing. There is no magic bullet. This is not about eliminating the problem, this is about managing it.”
With the initial drafting process now complete, Gallagher said NIST will move quickly into the implementation phase. He said the framework is not worth much if no one pays attention to it. He described three challenges ahead to make the framework relevant.
First, NIST and the industry members who helped develop the framework have to persuade companies to adopt it, not just within their IT offices, but throughout their organizations.
“They have to map it into their own situation, map out where they’re at and use the practices. This can’t just live on the shelf in the IT security department. It’s vital that it permeate all levels of the organization,” he said “And in principle we’re primarily focused on engaging the C-suite leadership who have an overall responsibility in these companies. A large part of our effort now will focus on that outreach and that adoption.”
Secondly, adoption within a given company isn’t enough, Gallagher said. He said the framework needs to become part of the broader marketplace and align good cybersecurity practices with good business practices.
“This means it also has to be integrated into business-to-business transactions- contracts [and] service-level agreements. It also has to look at customer engagement, and it also means we have to look at global adoption. Our framework should be integrated into worldwide standards so it’s compatible with activities around the world,” he said. “This may include conformity assessment vehicles, things like conformance testing or certification or other types of product identification so that businesses understand and can identify conforming practices in the market. And it also includes incentives. Where are the barriers? Where are the places where the market doesn’t behave, and how do we promote that?”
Finally, Gallagher said, just as the framework urges companies to continually improve their processes. NIST needs to annually build on the framework itself based on real world experience as companies put it into action.
“If this process we just did over the last eight months ends up being a once- through, then we’ve failed,” he said. “The technology is too dynamic, and I don’t believe the framework is perfect. We expect companies who adopt it and put it into use to identify places where it makes no sense and where there are gaps. We have to operationalize this collaboration we’ve built and turn it into a continuous process. So right away we have to start thinking about a 2.0 version. These early adopters that take up the challenge and put this into use are going to shape the framework, and I think they’ll drive the governance of the process. This has to be an industry-led effort.”
Incentives under consideration
NIST and other agencies also will be working through other processes designed to support and monitor the adoption of the framework. The February executive order told agencies to examine their current regulations and practices to determine which ones might be hindering good cybersecurity practices and how they might be able to incentivize the firms they regulate to adopt the framework.
“Over the next few months, as we get ready to roll out the final framework, we’re going to be looking at what that set of incentives is that we could use under our current authority,” Michael Daniel, the White House cybersecurity coordinator said at a separate cybersecurity event Wednesday hosted by the U.S. Chamber of Commerce. “We’re going to need to look at what we might actually still need to go back and ask for legislatively, which is a long term process. We’re beginning to rack and stack all of that, and in the framework 1.0. I expect you’ll probably see more on those incentives.”
Also, the Department of Homeland Security has been drawing up a list of privately- owned U.S. infrastructure “assets” that are so critical that a cyber attack that took them offline would cause a major catastrophe. Daniel said that step is designed, in part, to measure how well the government is doing at getting the cyber framework adopted.
“If you don’t have a denominator to measure against, you don’t know how well you’re doing,” he said. “DHS has gone through a rather impressive degree of analysis to arrive at the initial set of these assess, and we’re starting the process to notify the companies now. Obviously the list itself is not something we want to share with our adversaries, but the companies themselves need to be aware and be able to talk about it amongst themselves. We’re beginning that process right now.”
In an interview following the panel discussion, Daniel said companies shouldn’t read too much into whether their firms’ assets appear on the secret list or not. He said it’s primarily designed to give DHS a better understanding of the layout and risk profile of the nation’s most critical infrastructure.
Federal News Radio’s Jason Miller contributed to this report.