March 30, 2014    /    by

Implementing the Cybersecurity Framework within State and Local Governments

A key NIST Cybersecurity Framework kickoff event was held in Washington DC this week. What happened, what can we learn from the event and what's next?

US Capitol

Photo Credit: Shutterstock

The State and Local Government Cybersecurity Framework Kickoff Event was held on Thursday, March 27, 2014, at the National Cybersecurity Center of Excellence (NCCoE) just outside Washington DC.

The main message: Get engaged now - wherever your government is at regarding cyberdefense and cybersecurity preparedness. There are plenty of resources, programs, tools and services available immediately to help state and local governments. As almost every speaker pointed out, there are pragmatic steps that can be taken to provide cost-effective cybersecurity, but it must start with engaging key leaders.

I thought the presentations on Thursday provided an excellent overview of the NIST Cybersecurity Framework from a variety of perspectives. The industry panel described how they are implementing the Framework within their companies - offering several valuable insights. Best of all, I think Cheri Caddy from the White House did a fantastic job of leading the discussion at the end of the event – highlighting practical needs and a road map for the future of state and local government cyber efforts.

Background on This Event

The NCCoE event brought together top cybersecurity leaders from across the federal, state and local governments as well as the private sector to gather near the campus of the National Institute of Standards & Technology (NIST). The event organizers provided plenty of read-ahead material before the event, and the event agenda was packed.

State and local government technology and cybersecurity leaders traveled to the event from as far away as Hawaii and Guam, but my team watched the event via a live webcast from Michigan. (There were effective online mechanisms in place to send in questions and comments.) 

The meeting was advertised in advance to government leaders via a variety of homeland security channels. The organizers invited CIOs and CISOs to learn about resources for the implementation of the Framework for Improving Critical Infrastructure Cybersecurity, Executive Order 13636. The Framework provides a structure that state and local governments can use to create, guide, assess or improve comprehensive cybersecurity programs.

The morning agenda included:

- Opening comments by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator at the White House

- Overview of NIST cybersecurity activities

- Overview of the National Cybersecurity Center of Excellence (including core partners and resources available with pilot plans)

- National Governors Association cyber initiatives related to the Cyber Framework

- NASCIO cyber initiatives related to the Cyber Framewwork

- Overview of the Department of Homeland Security voluntary program for states

- Industry panel discussion moderated by Maryland CISO Elliot Schlanger (who did an excellent job). Panelists included:

o Chris Boyer, Assistant Vice President for Public Policy, AT&T

o Danielle Kriz, Director, Global Cybersecurity Policy, Information Technology Industry Council

o John S. Miller, Director of Cybersecurity Policy and Strategy Senior Counsel, Security & Privacy, Intel Corporation

o Angela McKay, Director for Cybersecurity Strategy and Policy, Global Security Strategy and Diplomacy, Microsoft

o Ken Durbin, Continuous Monitoring and Cybersecurity Practice Manager, Symantec

- Group discussion on the way forward – moderated by Cheri Caddy from the White House. The interactive session covered how current initiatives fit together, the identification of gaps and identification of future work needed.

It is my understanding that all of the presentation slides will soon be available at this event webpage. The content is worth viewing.

Main Session Content

The first several sessions did a good job of framing the Cybersecurity Framework. Michael Daniel made it clear that President Obama understands the importance of protecting critical infrastructure – which is why he signed Executive Order 13636 and PPD-21 mandating that this initial Cyber Framework be completed within one year. Completing this Cybersecurity Framework version 1.0 in February 2014 was hard work, but a sign that government can complete tasks on time and on budget. Mr. Daniel described the important work that state and local governments can do in this space as well.

Rather than walking through each of the speaker comments, here are some of the main takeaways that are worth highlighting in my opinion:

- The Cybersecurity Framework helps organizations manage cyber risk and applies existing standards and best practices to address real business challenges.

- The Framework is a flexible, high adaptable tool that is a living document.

- NIST next steps include roadmaps for development, alignment and collaboration on:

o Technical privacy standards

o Authentication

o Cybersecurity workforce

o Data analytics

o Supply chain (see event website for others)

- The National Cybersecurity Center of Excellence’s (NCCoE’s) mission is to accelerate adoption of secure technologies.

- The NGA Resource Center for State Cybersecurity is engaged in numerous programs such as the Call to Action for Governors on Cybersecurity.

- Doug Robinson provided a very helpful overview of the National Association of State CIOs' (NASCIO's) long history of action on state cybersecurity issues. NASCIO has released numerous helpful publications, videos and best practices that can be leveraged to help state and local governments. This cyber resource guide for states came out in 2013.

- Ms. Jenny Menna, Director of the Stakeholder Engagement and Cyber Infrastructure Resilience Division, Department of Homeland Security (DHS), did an excellent job of describing the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program has a number of engagement channels. You can access the gateway at http://www.us-cert.gov/ccubedvp. The primary roles of the C3 Program include:

o Support Use of the Cybersecurity Framework – “The C³ Voluntary Program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the Framework.”

o Outreach and Communications – “The C³ Voluntary Program will serve as a point of contact and customer relationship manager to assist organizations with Framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Cybersecurity Framework.”

o Feedback – “The C³ Voluntary Program encourages feedback from stakeholder organizations about their experience using C³ Voluntary Program resources to implement the Framework. The C³ Voluntary Program works with organizations to understand how they are using the Framework, and to receive feedback on how the Framework and the C³ Voluntary Program can be improved to better serve organizations.”

- There is a State, Local, Tribal and Territorial (SLTT) Cyber Engagement Program to help state and local governments in many ways. I highly encourage state and local government professionals to visit this US-CERT page to see the many free resources available right now to help in addressing your cyber programs.

- You can learn more about this C3 program by watching this C3 webinar.

- The industry discussion panel focused on ways that the private sector is implementing the Cyber Framework within their companies. The speakers highlighted:

o The need to drive a risk-management culture. This process will lead to an accepted standard of care for businesses.

o We will need actuarial data before data breach insurance becomes broader cybersecurity insurance.

o Advanced Persistent Threat (APT) attacks are still fairly rare. Many more incidents are the result of well-known cyberattack techniques, such as spear-phishing emails tempting staff to click on links. We need to limit user access to reduce exposure. Also, system administration access is still too wide open.

o Typical business environments are seeing social media attacks attempting credential theft.

o We must improve overall industry practices, including user habits. As Cyber Framework 1.0 evolves, we will continue to raise the bar. We need a continuous learning environment.

o Mobile devices threats are rapidly growing. Mobility security is the next “big thing.”

Closing Session on Next Steps

My favorite session was the open discussion at the end of the program. Comments came in from both the live audience and online participants. One person said that we need to focus on the emerging threats, the vast scope of the cyber problem and the resources to mitigate our cyber issues.

Cheri Caddy laid out an important “To do” list from the morning. (These are my paraphrased words):

1) Leverage the NCCoE work to give them specific issues that have a state/local focus.

2) Leverage NASCIO state / local government expertise to build an overlay for the Cybersecurity Framework (with metrics) from the state perspective.

3) Use existing survey tools, solution sets, and more to better communicate what’s available now to state and local governments. The beauty of government is that there are no anti-trust concerns in public sector. Cheri said: “We (governments) must share, share, share!”

4) NGA can help develop and roll out a toolbox of sample legislation, cyber policies, solutions that work, guidelines, governance and other helpful checklists.

5) NGA can also work on model legislation and provide a list of federal resources available to state and local governments. 

6) The need for talent and educated workforce should focus on great work being done with National Initiative for Cybersecurity Education (NICE). NGA will also be coming out with some cyber workforce recommendations as well.

7) There will be an extensive federal outreach effort to get the word out - lead by DHS and the MS-ISAC. (I hope this blog helps in that regard.)

Quite a few participants discussed the challenges around attracting and keeping cyber talent and building training and employee pipelines to improve the situation moving forward. Another comment surrounded the issues of information sharing and the reluctance of many industries to openly share data with the government on threats and incidents.

In conclusion, there are many reasons that the NIST Cybersecurity Framework matters for protecting your state infrastructure. More engagement with state and local governments as well as the private sector communities will be essential to improving our cyberdefenses and defending our nation.

I think this kickoff event was a good beginning to that process. Now the real work of implementing the Cybersecurity Framework begins.