The FISMA Focus IPD

Information technology and communications companies doing business with the federal government may want to look at the Preliminary Cybersecurity Framework being released for public comment on October 29. The framework, which is a part of President Obama’s executive order for Improving Critical Infrastructure, outlines a series of voluntary steps that organizations can take to improve their network security. While contractors can rely on complying with existing rules and regulations for cybersecurity, federal officials said that enterprises may want to see how different sectors are approaching network security, as described in the framework.

Although the main goal of the executive order’s voluntary process is to engage the participation of companies in different industry sectors whose assets comprise the nation’s critical infrastructure, the steps and processes outlined in the framework can help enhance individual firm’s network security, and by extension, the national infrastructure as well. The framework focuses on creating an overarching set of voluntary standards for critical infrastructure firms, but many parts of the security picture are already in place in the form of existing regulations, laws and policies, Adam Sedgewick, senior information technology policy adviser for the National Institute of Standards and Technology (NIST), says.

NIST, which is responsible for planning and organizing the cybersecurity framework under the executive order, has solicited questions and advice from the private sector since the beginning of the process, Sedgewick explains. While many firms in the federal sector have security rules and regulations to fall back on, such as the Federal Information Security Management Act, those rules and their exact language and approach vary from sector to sector. The theory behind NIST’s approach is that despite these differences, there are some core security practices that work across sectors. “The onus is on the administration to talk about cohesive policies for government contractors,” he says.

The new framework is now beginning its open comment period. Government contractors might want to look at the framework and compare it against how they currently provide services to their customers, Sedgewick suggests. Based on their business needs and requirements, firms should provide robust comments during the comment period to make sure their needs are addressed, he says.

While firms working as government contractors have existing rules to work with, Sedgewick recommends that they look at the framework, because it may provide them with new ways to communicate with one another and with other sectors about cybersecurity issues. Such communication will in turn lead to better ways to defend critical networks. “The more eyes we have on this, the better the document will be, and the easier it will be for people to use,” he says.