From: HSToday.US
By: Mickey McCarter
Under the White House cybersecurity executive order, federal agencies are scheduled to deliver the first set of products after 120 days, which is Wednesday.
The effort toward building a cybersecurity framework of best practices to guide owners and operators of critical infrastructure has gone well, thanks in part to a strong dialogue between the public and private sectors, officials from the White House, the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) reported Tuesday.
Speaking at the Cable Show presented by the National Cable and Telecommunications Association in Washington, DC, Samara Moore, White House director for cybersecurity and critical infrastructure, said deliverables under the cybersecurity executive order fall into two major areas: information sharing and cybersecurity best practices.
“As it relates to information sharing, that is the area where we have the most deliverables due here this week,” Moore said. “First, it’s the government working together to find a way to share information as much as possible, and as much classified information as possible, in a timely manner in a way that is actionable, so owners and operators can leverage that information and be able act quickly to identify and address a threat.”
On the 120-day deadline, agencies are scheduled to report instructions on how to share cybersecurity information with the private sector. They also are due to expand Enhanced Cybersecurity Services (ECS), a program that fortifies Internet service providers with information to protect critical infrastructure from cyberattack, make recommendations for security standards in acquisition planning and contract administration, and make recommendations on incentives to promote participation in the cybersecurity framework, which is voluntary.
After 150 days, DHS must report on the identification of key critical infrastructure at risk. After 240 days, NIST must deliver a preliminary version cybersecurity framework. In October, the draft cybersecurity framework will become available for public comment.
Efforts to work with industry to shape the cybersecurity framework have gone well, beginning with a request for information (RFI) released the day after the executive order to collect data on existing frameworks and best practices, said Donna Dodson, NIST chief of computer security.
NIST developed some guiding principles from the RFI, such as requirements to remain flexible and build on existing capabilities.
“We received a lot of over-arching good guidance through the request for information process,” Dodson said.
In May, NIST held a workshop at Carnegie Mellon University in Pittsburgh, Pa., to assess RFI responses and move forward with an outline for the cybersecurity framework. About 400 people attended that workshop and provided strong feedback for NIST, Dodson said. RFI respondents and Pittsburgh workshop participants emphasized a risk management approach for the cybersecurity framework, which must include standards that are both flexible and actionable.
NIST will hold a second workshop for several days beginning July 10 at the University of California in San Diego. The workshop is open to interested participants.
“We will begin working with workshop participants to drill down and really start populating that draft framework,” Dodson said.
The government’s approach to the problem has been to listen to the owners and operators of critical infrastructure to meet their needs, said Robert Kolasky, director of the DHS integrated task force on the cybersecurity framework.
“How do we organized the community in a way where we can have that conversation as a partnership? We must listen as much as possible to folks who have responsibility for cybersecurity and infrastructure security, and that is the owners and operators,” Kolasky said.
DHS will run a voluntary program that results from the cybersecurity framework. As such, the department is interested in ways to encourage participation.
Kolasky and others have identified 14 classes of incentives federal agencies can offer private companies to adopt the standards of the cybersecurity framework, Kolasky said. Those incentives, which are relatively low cost measures, include things like streamlining information security regulations and providing targeted technical assistance.
The officials agreed that they must maintain a “light touch,” however, and help to create space for innovations in the cybersecurity marketplace.
Dodson said flexibility remained key. The cybersecurity framework must evolve over time to address the challenges of the day.
“The threatspace that we had five years ago is not the same threatspace that we have today. The cybersecurity capabilities that we have today are much more advanced than those we had five years ago,” she said.
Leave a Reply