NIST Seeks Industry Information for Cybersecurity Framework

The National Institute of Standards and Technology (NIST) released a request for information on Tuesday, February 26, for the cybersecurity framework demanded by the recent White House executive order.

Speaking on the cybersecurity panel at the AFCEA Homeland Security Conference in Washington, D.C., on Tuesday, Jeff Voas, a NIST computer scientist, said he received his first briefing on the executive order about a week ago and NIST already has begun putting together working groups. The request for information process should be concluded in about 45 days. “We’re only a week or two into this,” Voas said.

The panel included Darren Ash, deputy executive director for corporate management and chief information officer for the U.S. Nuclear Regulatory Commission, which regulates the civilian use of nuclear power. Ash said that most nuclear power plants in this country were built decades ago in an analog environment, whereas more recent applications to build nuclear facilities are grounded in a digital environment.

“We know that cyber is important. What we expected and required of these licensees was to establish their plans on how to address cyber,” Ash said. “What’s important is what we do with it.” Recent nuclear license requirements have been accepted, he reported, and just this fiscal year, the commission has begun to inspect the cybersecurity capabilities to ensure they are meeting the requirements.

Richard Puckett, chief security architect for GE, argued that the term “cyber” is too vague, meaning different things to different sectors. To private sector clients, for example, cyber refers to protection of credit card numbers and other personal information, whereas government and military customers are more concerned with the cyber activities of other nation states and the protection of critical infrastructure.

One audience member agreed, saying that his biggest concern is “overspending on an under-defined term.”