NIST to Hold Workshop Series on Cybersecurity Framework

Published: April 10, 2013

DOCCritical Infrastructure ProtectionCybersecurityDHSPolicy and Legislation

Based on early reviews of the 2014 budget request, it appears agency efforts to improve cybersecurity will receive continued attention for the foreseeable future. Considering the As part of the executive order for cybersecurity, the National Institute for Standards and Technology (NIST) was given the responsibility for developing a cybersecurity framework. The first in a series of workshops on developing this “living framework” was held in Washington, D.C. on April 3, 2013. Much of the discussion revolved around risk management and the role of industry in identifying best practices. (Not surprisingly, these are issues that government agencies have been facing too.)

Mid March, we looked at the role of private industry in implementing the cyber executive order. For government, the goal of partnership with industry is to strengthen national security both within government and across private industry. To that end, the public sector has been reaching out for input from industry, academia and the public. As Rebecca Blank, Deputy Secretary for the Department of Commerce, phrased it in her opening comments: “Government cannot and should not do this alone.”
 
It’s clear that improved information sharing, situational awareness, and public-private partnership have roles to play in moving forward. For the most part, government and industry agree that there’s a need to build on existing capabilities, to identify solutions that provide flexibility and that can adapt across varying sector requirements.
 
For many companies, cybersecurity has become an integral part of discussion around risk-management practices. Opinions vary about how to define “best practice,” and rightly so. Organizations do not have a consistent answer for how to measure the success of security practices. For the most part, risk levels are evaluated at the tactical level, rather than compared to strategic benchmarks. Raising risk and security management to a strategic level would clarify its role in business strategy. During an industry leadership panel discussion. Patrick Gallagher, the Undersecretary of Commerce for Standards and Technology and Director of NIST, described this challenge as the need “to learn about the balance between good cybersecurity and good business.”
 
In all likelihood, the best practices captured in the framework will illustrate range of approaches to security implementation. This brings us to another sticky wicket: incentives. While there’s no certainty around the success another organization might have following another company’s lead, effective policies and procedures around risk management can contribute to a competitive position. There is no current barrier to sharing practices. So what is going to change? What will motivate the private sector to adopt new security standards voluntarily? What role can the government play to facilitate the exchange?
 
For starters, they’re asking for input. The Departments of Homeland Security, Commerce and Treasury are working together to report on industry incentives. The Commerce Department posted a Notice of Inquiry on incentives for getting industry involved in the framework development process. Public comments are open until April 29, 2013.
 
Beyond that, several multiday workshops are being scheduled. The next session will be hosted at Carnegie Mellon, held from May 19th through 31st. Other sessions will be held in July and September, further informing the framework. The first draft of the framework is due in October 2013, allowing 8 months from the release of the executive order for draft to be crafted.