Cybersecurity Framework Offers New Ways for Firms to Look at Security

Information technology and communications companies doing business with the federal government may want to look at the Preliminary Cybersecurity Framework being released for public comment on October 29. The framework, which is a part of President Obama’s executive order for Improving Critical Infrastructure, outlines a series of voluntary steps that organizations can take to improve their network security. While contractors can rely on complying with existing rules and regulations for cybersecurity, federal officials said that enterprises may want to see how different sectors are approaching network security, as described in the framework.

Although the main goal of the executive order’s voluntary process is to engage the participation of companies in different industry sectors whose assets comprise the nation’s critical infrastructure, the steps and processes outlined in the framework can help enhance individual firm’s network security, and by extension, the national infrastructure as well. The framework focuses on creating an overarching set of voluntary standards for critical infrastructure firms, but many parts of the security picture are already in place in the form of existing regulations, laws and policies, Adam Sedgewick, senior information technology policy adviser for the National Institute of Standards and Technology (NIST), says.

NIST, which is responsible for planning and organizing the cybersecurity framework under the executive order, has solicited questions and advice from the private sector since the beginning of the process, Sedgewick explains. While many firms in the federal sector have security rules and regulations to fall back on, such as the Federal Information Security Management Act, those rules and their exact language and approach vary from sector to sector. The theory behind NIST’s approach is that despite these differences, there are some core security practices that work across sectors. “The onus is on the administration to talk about cohesive policies for government contractors,” he says.

The new framework is now beginning its open comment period. Government contractors might want to look at the framework and compare it against how they currently provide services to their customers, Sedgewick suggests. Based on their business needs and requirements, firms should provide robust comments during the comment period to make sure their needs are addressed, he says.

While firms working as government contractors have existing rules to work with, Sedgewick recommends that they look at the framework, because it may provide them with new ways to communicate with one another and with other sectors about cybersecurity issues. Such communication will in turn lead to better ways to defend critical networks. “The more eyes we have on this, the better the document will be, and the easier it will be for people to use,” he says.

One of the goals of the cybersecurity framework is to identify and smooth over inconsistencies in security policies between different sectors. When the executive order was released, NIST issued a request for information (RFI) asking how organizations manage risk. NIST also was looking for security solutions that were practiced across different sectors with the goal of promoting them broadly, Sedgewick says.

NIST received 245 responses to the RFI from organizations, individuals and business associations. After it collected the responses, NIST conducted an analysis and identified a lack of consistency in how different sectors communicated about security threats. “A consistent way of how to talk about things across sectors doesn’t really exist today,” he explains.

What kept emerging was that industry sectors have different ways to discuss cybersecurity issues, Sedgewick says. The cybersecurity framework creates a set of standards that fits into these varying industry goals. He adds that NIST has posted some examples of different sector standards on its site, such the energy sector’s North American Electric Reliability Corporation standards, and how these different industry guidelines fit within the larger scope of the framework.

An additional challenge is that some firms work internationally and must conform to international standards and guidelines for security. This is a very different approach to security than that of a local utility, and this must be factored into the final guidelines, he says.

Regarding feedback from the private sector, Sedgewick notes that NIST already has a list of topics collected from the previous RFI and workshops with industry. Among some of the key topics that have been discussed are concerns from firms about the level of detail and specificity for cybersecurity guidelines, potential civil liberties issues regarding information sharing and the need to ensure that the guidelines speak to senior business leaders. This last concern stems from the many existing rules written in language directed at security specialists, and top leadership must be involved in the conversation. “We need a translation for senior business executives,” Sedgewick explains.

The 45 day comment period for the Preliminary Cybersecurity Framework begins on Tuesday, October 29. Information about the framework and the comment period are now posted on the website for the Federal Register, Sedgewick says.

Besides the comment period, NIST will be holding workshops with critical infrastructure providers in North Carolina on November 14 and 15. The comments are due in mid-December, after which the institute will analyze them and include them in the final version of the framework that will be released in February 2014. During this period, NIST will continue to meet with stakeholders, because even when the final version is released, it will continue to be modified as a living document. “A lot of our conversation will be about next steps,” Sedgewick says.