At the halfway point of cobbling together a set of standards and best practices for the nation’s critical infrastructures to consider implementing to bolster their cyber security postures, the Obama Administration yesterday released several reports on potential incentives to encourage industry adoption of these standards and practices.
The reports were prepared by the Departments of Homeland Security, Commerce and Justice and include recommendations to President Barack Obama. The White House is making the draft report public in the interests of transparency and to continue the public conversation that is underway with the consolidation of the standards and practices into the Cybersecurity Framework, Michael Daniel, special assistant to the President and the Cybersecurity Coordinator, says in a White House blog post.
Work on the draft Cybersecurity Framework, which is being led by the National Institute of Standards and Technology and essentially is building on existing standards and best practices used by industry and the public sector, is on schedule for completion in October with a final release next February. Creation of the framework was directed by Obama in an Executive Order in February amid growing cyber threats to the nation’s critical infrastructures, most of which are privately owned.
Daniel says that incentive options will be reviewed by various government agencies in the coming months to determine which ones to adopt, “based substantially on input from critical infrastructure stakeholders.”
In its draft report, the Department of Homeland Security among other measures recommends a grants program for investment in cyber security products and services for companies that adopt the framework. Alternatively, DHS says that critical infrastructures receiving federal grants could be required to adopt the framework.
Larry Clinton, president of the Internet Security Alliance, applauded the DHS grant program, stating that it “will provide and immediate vehicle for the best in the private sector to help shore up vulnerable government systems while the incentives outlined in the White House report today will provide the sustainable fuel to power the engine of enhanced standards and practices being developed by NIST.”
In addition to grants, other recommended incentives outlined in the various department reports include cyber security insurance, expedited technical assistance to framework adopters, liability protections, streamlining regulations to make compliance with the voluntary framework easier, public recognition for participants, prioritizing government research to close security gaps, and allowing utilities that adopt the framework to recover their investments through rate adjustments.
Daniel pointed out that some of the incentives, none of which are final, could be set up quickly while others will require legislative action. He also said that maturation of the framework and the continued public dialogue will help determine what incentives are offered.