After eight months, the National Institute of Standards and Technology Tuesday released the cybersecurity framework for critical infrastructure providers.
But now the real work begins. NIST must move from its role of bringing more than 3,000 industry, academics and government experts together to one of persuader with a goal of making sure companies understand the benefits of implementing the framework.
Part of how NIST, and the government at large, will do that is through incentives.
In August, the White House offered some details on the recommendations provided by the departments of Homeland Security, Commerce and Treasury as to the areas where incentives could help adoption of the framework.
A White House official said Tuesday some of the eight potential areas of incentives determined by the three agencies — insurance, grants, process preference, liability limitation, streamlined regulations, public recognition, rate recovery and cybersecurity research — are immediately applicable and would be implemented now.
Others can only be implemented once the cybersecurity framework is completed, so the administration will evaluate them in full once the framework is complete, the official said in an email.
“Agencies are already beginning to work with the insurance industry to develop groundwork so that the framework can be utilized properly within the current marketplace and developing the means to use framework adoption as a criteria for cybersecurity grants,” the official said. “Discussing these agency reports publicly is an interim step and does not indicate the administration’s final policy position on the recommended actions. We will be making more information on these efforts available as the framework and program are completed.”
Additionally, agencies will review the framework over the next three months. Those that already regulate industry sectors, such as electricity or banking, will determine if they have enough regulatory authority.
The White House official said sector-specific and other relevant agencies, most of which are non-regulatory, are actively working with the Homeland Security Department to provide information necessary to carry out the responsibilities under the Executive Order.
NIST’s release of the final draft version of the framework is step one of a multi- step process. It will accept comments over the next few months and then release a final Version 1.0 in February.
Patrick Gallagher, the director of NIST, said the agency will host the fifth workshop Nov. 14 to 15 in Raleigh, N.C.
“There we will be seeking one more round of input on the framework, and we will be discussing options for an industry led governance structure of the framework going forward,” he said during a call with reporters Tuesday. “We continue to work on the framework after [it’s released in February].”
Gallagher said he expects the privacy and civil liberties section of the framework to draw a lot of comments in November and possibly change the most when NIST releases version 1.0 in February.
Gallagher said the framework changed little since the August version. He joked that the final draft version is one of the worst kept secrets in Washington.
The framework provides a common language for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the context of risk management;
Assess progress toward the target state;
Foster communications among internal and external stakeholders.
The document is centered around five core functions — identify, protect, detect, respond and recover — which can provide a high-level, strategic view of an organization’s management of cybersecurity risk.
Under each of these core areas, NIST identified underlying key categories and subcategories and matched them with examples, such as existing standards, guidelines and practices for each subcategory.
“The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk,” the document stated. “A key objective of the framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, safety, and operational risk while factoring in larger systemic risks inherent to critical infrastructure.”
Not a silver bullet
Gallagher said the framework will mean different things to different sized organizations.
“The underlying structure of what’s needed is the same. The principles are the same. [All sizes of organizations] need to be able to identify, protect, detect, respond and recover to and from cyber threats,” he said. “The framework provides a way for these organizations to match up their current efforts with best practices in these various functional areas and to gauge the maturity of their own cybersecurity systems.”
Gallagher added the framework also gives them a way to set goals through a roadmap toward better security and lower their risks.
But, Gallagher said, the goal of the framework is not to make companies bulletproof from cyber attacks. It’s not about eliminating cyber risks, but managing them effectively, he said.
Some already have criticized the framework as too broad, but Gallagher said they need to look more closely at the framework.
“You will always run into this tension between specificity and generality when you have something of this approach. I would be careful not to construe the relative simplicity of the framework with a lack of specificity,” he said. “If you look at the underlying standards and practices that are references, there is quite a bit of meat there in terms of best practices. The objective was not to add something brand new or highly complex. It was designed to provide something that was usable, adaptable and scalable.”
But the broad design of the framework leaves some questioning just how useful the framework can be.
Bob Dix, vice president of government affairs and critical infrastructure protection for Juniper Networks, said this draft, like the previous ones, attempts to do too much.
“I think it’s trying to be all things to all people. As I’ve tried to share with my own comments, there is a huge difference between trying to educate people about basic hygiene, things that they can do to protect themselves again being infected in cyberspace or impacted in cyberspace, versus the requirements for protections of industrial control systems or dealing with the advanced persistent threat,” he said. “So I think it’s still too broad. I think it needs to narrow both the target audience and the target objectives. I’m not sure that will happen.”
More focus on cyber hygiene
Dix said he applauded NIST’s efforts to bring the community together and listen to all the differing opinions. But he preferred to call the framework a tool box where companies can grab the tool they need to improve how they deal with cyber threats and vulnerabilities.
Instead of this broad framework, Dix said he’d like to see the framework address the 80 percent of the cyber problems that can be fixed by doing basic things, such as patch management, requiring more frequent changes to passwords or something as simple as turning on firewalls. He said many businesses don’t know how to do these basics.
But when NIST tries to stretch the framework to be all things to everyone, it becomes too complex and less effective, he said.
Dix said he hopes the framework will be a catalyst for other cyber initiatives, including incentives, risk management based on the economics of cybersecurity and a better national awareness campaign.
Other industry experts reacted with similar caution.
The Telecommunications Industry Association said in a release it will review the framework and offer comments in the coming months. It reiterated the need for the framework to be voluntary and flexible and not a mandate.
“What NIST released today looks very similar to what was released prior to workshop four in Dallas with no significant change based on the feedback and suggestions shared by industry at the workshop and afterwards. I’m hopeful that NIST will account of our suggestions during the 45-day public comment period and incorporate them into the final cybersecurity framework,” said Phil Agcaoili, the chief information security officer at Cox Communications, in an email. “NIST has effectively established a new security standard with the cybersecurity framework that will lead us towards a compliance regime rather than forge us ahead towards adoption of valuable safety practices (basic cyber hygiene) to ensure the security of critical infrastructure in cyberspace.”
Tom Conway, director of McAfee federal, was more optimistic about the framework.
“As active participants in the development process, we’ve been impressed with the way NIST is building this framework from existing industry standards and best practices. And rather than starting with a pre-conceived notion of what it should look like, they’ve been listening to, evaluating and incorporating what they learn from the workshops and comments. We have every reason to believe that process will continue until the final version is released in February,” he said in a statement. “The framework also represents a voluntary approach to cyber security, and this is important. Many critical infrastructure industries are regulated to some extent already, and often the rules prove more of a hindrance than a help. We think this would be the case with cybersecurity regulation, and therefore we favor mechanisms such as the voluntary framework.”
Conway added version 1.0 of the framework will let organizations agree on some basic security principles and practices.