The National Institute of Standards and Technology (NIST) shortly will release a Request for Information (RFI) as part of a collaborative effort with industry and other stakeholders to identify existing security standards that could be voluntarily used by owners and operators of critical infrastructure to reduce risks to cyber threats.
The RFI will kick start an iterative process that will include a series of workshops hosted by NIST during the next few months to develop the Cybersecurity Framework, which will provide the cyber security standards and best practices that critical infrastructure owners can voluntarily apply to their networks.
A preliminary version of the framework is due in eight months and the final version in one year. But the framework will be a living guide as NIST will revise and update it to meet changing business and security needs.
Some of the areas that NIST wants framework information for include encryption and key management, in particular how does an organization protect, store and organize encryption keys, asset identification and management, and security engineering practices.
The process for identifying the various best practices and security standards that will emerge in the framework will “not lock in a particular technology or approaches” but will reflect existing domestic and international standards, a senior Obama administration official said recently. Moreover, the framework will not be a “one-size-fits-all” approach but will allow private critical infrastructure to select what works best for them, the official said.
“As we move forward with the Cybersecurity Framework, NIST will be collecting input from a wide variety of stakeholders to come up with an effective set of voluntary standards that will safeguard our nation’s most critical infrastructure from cyber security threats,” Rebecca Blank, deputy Commerce Secretary, said in a statement. “Protecting our businesses and system from attacks, while also ensuring that new voluntary standards allow the flexibility for innovation, is crucial to ensuring our economy can continue to grow.”
The Homeland Security (DHS) and Commerce Departments have also signed a memo of understanding (MoU) to improve the synchronization and mutual support of their respective efforts to improve the nation’s cybersecurity while also protecting privacy and civil liberties, according to a DHS statement.
The establishment of the Cybersecurity Framework as well as directions to the federal government to share cyber threat data with critical infrastructure owners and operators is contained in a new Executive Order issued by President Barack Obama in an initial step that his administration hopes will be followed by congressional legislation to help the private sector and the federal government bolster cyber security.
The order also seeks to integrate cyber security into federal acquisitions. One of the executive actions calls for the Defense Department and General Services Administration (GSA) to make a recommendation within 120 days “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”
The order also calls for identifying critical infrastructure that is at the greatest risk should a threat result in “catastrophic regional or national effects on public health or safety, economic security, or national security.” Excluded from this directive are commercial information technology products or consumer information technology services.
The Executive Order can’t, and doesn’t, address new federal authorities and only directs agencies to do things that they can under existing statutes. Congressional action is needed in other areas to further boost the security of critical infrastructure, senior administration officials said recently.
For example, the issue of the private sector sharing information with each other and with the federal government must be tackled with legislation, they said. Congress has to provide the safe harbor provisions to enable this type of information sharing.
The Executive Order directs the Secretary of Homeland Security, in collaboration with the Defense Secretary, to establish procedures for a voluntary program that will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
To update laws and law enforcement tools to better fight cyber crime will also require congressional action, the officials said. U.S. Cyber Command (CYBERCOM) and National Security Agency (NSA) chief Army Gen. Keith Alexander recently urged Congress to pass legislation to assist cooperation and take on private industry’s liability concerns.
“Legislation is…necessary to create incentives for better voluntary cooperation on cyber standards, developments and implementation, and to update and modernize government authorities to address these new cyber threats,” Alexander said. “Where appropriate, cyber legislation (also) needs to address industry liability concerns.”
The Executive Order “is a down payment” on the legislative process, an official said.