Now that the National Institute of Standards and Technology and the Homeland Security Department released the cybersecurity framework for critical infrastructure providers Wednesday, agencies have until May to figure out how it fits into their regulations.
Executive branch agencies will review existing regulatory guidance and rules in their oversight areas, and in May propose changes that are prioritized and based on risk to mitigate threats and vulnerabilities, said Michael Daniel, the White House’s cybersecurity coordinator during an event in Washington.
“The goal from the administration’s standpoint is not to expand regulation. Our goal in this area is to streamline existing regulations, and wherever possible bring those regulations into alignment with the framework,” Daniel said. “We are encouraging those agencies to focus on voluntary efforts and programs to support the adoption of the framework. For those sectors where regulations already exist, we’re encouraging those agencies to engage in processes to support efforts to harmonize and align current regulations with the framework. Obviously, while we can’t direct the independents to do anything, we’ve invited them to follow the same process.”
“Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” – President Barack Obama
“Thanks to these efforts, companies now have a common, but flexible path forward to better secure their systems and also a meaningful way to measure their progress.” -Sen. Tom Carper (D-Del.)
“The framework represents an effective approach to cybersecurity because it leverages public-private partnerships.” -Dean Garfield, president and CEO of the IT Industry Council
“A voluntary, risk-based tool that can be utilized by a broad array of organizations.” -Renee James, president of Intel
Core – A set of cybersecurity activities, outcomes and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
Profile – Helps organizations align their cybersecurity activities with their business requirements, risk tolerances and resources.
Implementation Tiers – Provides a way for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
“At its core, the framework serves as bridge between business leaders and information security professionals. Together you can use this framework to gauge the appropriateness of your organization’s cybersecurity investments,” said Penny Pritzker, the Commerce Department secretary. “As such, if a business leader wants to do more to address cybersecurity, but doesn’t know where to begin, the framework can be of great help. The overall goal of the framework is to help organizations align their policies, their technologies and their day-to-day business operations to better protect data and information technology systems. The framework is crafted in a way it can help any organization regardless of size, sophistication or level of cyber risk.”
NIST has led the effort to bring together industry, academia and others to offer insights and comments on how best to create the best practices guide.
Vendors and associations alike praised NIST’s efforts to bring the community together.
“The chamber has valued NIST’s involvement with the cybersecurity framework as they have treated the business community as a genuine partner in identifying existing cybersecurity standards and practices that are effective in improving security and resilience,” said Ann Beauchesne, the U.S. Chamber of Commerce’s vice president of national security and emergency preparedness in an email statement. “Much still remains to be seen in terms of how the cyber framework is implemented and revised, especially the roles that regulatory agencies and departments will play.”
Under C3, DHS is bringing together all of its tools and assistance programs in one place to emphasize convergence of resources that support resilience, awareness and engagement.
Another senior administration official said the long-term goal for C3 is for businesses and other organizations to establish and improve risk management processes and to take advantage of the government’s resources.
“For example, the program supports the use of the cybersecurity framework through the cyber resilience reviews (CRR). The CRR is a free assessment to evaluate an organization’s information technology resilience,” the official said. “The CRR may be conducted as self-assessment or as in-person facilitated assessment. The goal of the CRR is to develop an understanding and measurement of key capabilities to provide meaningful indicators of an organization’s operational resilience and their ability to manage cyber risk to their critical services during normal operations and at times of operational stress and crisis.”
DHS has conducted more than 330 CRRs. Additionally, the official said companies can take advantage of a host of other cyber resources including the incident resource capabilities through the National Cybersecurity and Communications Integration Center (NCCIC) or the US-Computer Emergency Readiness Team (US-CERT) or the Industry Control System-CERT (ICS-CERT).
The framework is based on existing standards and best practices that NIST gathered during five workshops around the country and thousands of comments and suggestions from industry.
NIST also is taking a page from the Energy Department, which created a risk maturity model that is a set of baseline standards for the electricity company owners and operators to meet.
Daniel Poneman, Energy’s deputy secretary, said the pilot started with 17 utility providers and expanded to more than 100 serving 69 million customers.
“This would not happen if there wasn’t a demand or need. So today in support of cybersecurity framework, we are releasing the second phase of our cybersecurity model and we are extending its coverage,” he said. “We’ve been doing the electric industry. We are going to the oil and gas sector. This will be a very important complement to all the work that we do.”
The White House’s Daniel said the next steps include deciding on the best incentives to get industries to adopt the framework, including tax breaks, insurance and public recognition. The General Services Administration and the Defense Department released recommendations last month to ensure cybersecurity is part of the federal acquisition process, which is another requirement under the President’s Executive Order.
Daniel said he expects to make public the incentives in the next few months.
Additionally, the framework needs time to be absorbed and implemented by companies. NIST has said all along the framework will continually be updated based on new threats and industry requirements.
“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity. America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet,” said President Barack Obama in a statement. “Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”