This new approach matters more than most people realize.
On February 12, 2014, a ceremony was held at the White House to announce the release of the National Institute of Standards and Technology (NIST) document entitled: Framework for Improving Critical Infrastructure Cybersecurity.
While the industry reaction to the newest NIST guidance is all over the map, most cyber leaders that I spoke with greeted the voluntary framework with a collective yawn. Phrases like this were common: “It’s ok – I guess.”
Or, “Not much new there for us. We need more specifics for our industry.”
Also heard: “No carrot or stick. Where are the incentives?”
No doubt, several of the companies I spoke with fully support the new Framework and spoke highly of the year-long process to get to this point. Meanwhile, other business leaders were glad that government kept the Cyber Framework voluntary with words like, “I’ll listen to Washington when they get their own (federal government) act together.”
Nevertheless, I believe this new approach is helpful and matters more than most people currently realize. In fact, this NIST Cybersecurity Framework will be studied at universities, governments and businesses around the world and become a part of “Cyber 101” for Information Assurance (IA) and cybersecurity training programs.
No, this Cyber Framework does not uncover new cutting-edge methods for cyber defense, nor is this material for a 400-level course. However, it does create a common language and methodology with a core structure that will lead to the world understanding what is meant by: “Identify, Protect, Detect, Respond and Recover.” It also links to many excellent available resources.
But before we look at specifics regarding why the Cyber Framework matters, here is some basic background on the new document as well as sample press commentary about the Framework’s benefits.
President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. As stated in the NIST Cybersecurity Framework introduction:
“It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses."
Whitehouse.gov issued this announcement on the Cybersecurity Framework launch. Here is an excerpt:
"The Framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks. Organizations outside the United States may also wish use the Framework to support their own cybersecurity efforts."
Mixed Press Reaction
There is wide disparity in the articles and press releases that have emerged for and against the new NIST Framework:
PC World led with this positive article on how the new Framework can help secure US enterprises.
The State of Virginia quickly endorsed the new Framework:
"Just hours after the White House officially released the National Cybersecurity Framework, Virginia Gov. Terry McAuliffe announced the commonwealth will adopt it into its existing risk framework…."
Companies like Verizon praised the Framework and the work that went into preparing the document, while using the opportunity to remind the world that they take cyberthreats seriously.
"Verizon has long focused on protecting the security and privacy of our customers, as well as protecting our networks. All businesses – large and small – need to keep their cybersecurity defenses updated to respond to continually evolving cyberthreats, but not all businesses have the tools or resources to do so. We applaud the administration for bringing together a wide range of stakeholders to create this cyber framework, which provides a useful tool for companies as they consider the right mix of cyberdefenses to protect themselves and their customers."
My friends over at CSO Magazine called the Framework “better than nothing” in January 2014, citing mixed reviews throughout the industry.
But other reviews were even less positive:
Computerworld led with this article: After Healthcare.gov debacle, group pushes for tests of NIST cybersecurity framework - Larry Clinton from the Internet Security Alliance (ISA) said more testing is needed to understand what implementation of the framework really means.
Allan Pallor from SANS went further. In SANS NewsBites Vol. 16 Num. 011, he said:
“Ooops. The White House is about to step in cyber doo doo. Rather than allowing the impotent and irrelevant "Cyber Framework" to quietly fade away, Michael Daniel, the White House Cyber Coordinator, plans to
highlight it as an illustration of Obama Administration leadership. The Framework is the kind of non-effective guidance that led to the Administration's cyber leadership failures documented by Senator Coburn earlier this week..."
On Friday of this week, Mike Assante was a bit kinder in their Valentine Day's SANS newsletter:
“I applauded the President's action and prioritization of the series of problems we identify with cyber threats and I appreciate that NIST called out the need to address operational technology (specifically automation and ICS) alongside of traditional information technology. At this stage we should have taken the opportunity to explain the real "what" (nature of cyber threats) and the practical "how" to enhance our collective cybersecurity posture….
My View – Five Reasons Why the Cyber Framework Truly Matters
1) The first reason that this Cyber Framework matters is that it comes from NIST - after a year of hard work and several reviews from the public and private sector. NIST has a long track record of setting good standards and roadmaps that federal, state and local government use extensively - from 800-53 to the many other great resources available at their Computer Security Resource Center website. Obviously, this Framework has the backing of the White House and federal agencies, as well as many key players in the private sector – who reached more than a few compromises to produce the final document.
2) The Cyber Framework also offers a common language that can be used across industries as well as best practice options and processes for industry and government. The diagram below shows some of those relationships.
Figure 1: Framework Core Structure
3) While many criticize the Framework for being voluntary, the Cyber Framework offers the basis for future incentives and penalties that will likely be coming from the White House. It was industry that let government officials know that they didn’t want new regulations or compliance mandates, although this approach may still lead to some of that down the road. Regardless, this will be the beginning of the cyber “Yellow Brick Road” for many companies that are late to the journey. Others that are further along can use this model to strengthen defenses.
4) The focus on risk management through Framework implementation tiers offers a helpful model for organizations to gauge progress. As described in the plan: “The Framework Implementation Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.”
Tiers do not represent maturity levels. Progression to higher tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.
5) The Framework offers a continuous improvement process. Cybersecurity is evolving and not a one-time destination. The helpful diagrams describe the roles of various decisions required from the organization at different levels. This Framework offers a good guide to begin to understand cybersecurity complexity and ongoing challenges.
Figure 2: Notional Information and Decision Flows Within an Organization
Bottom Line - And Next Steps
I believe the NIST Cybersecurity Framework is a positive step forward, and our Michigan team will be working with our federal government colleagues and private sector partners to implement key aspects of the Cybersecurity Framework over the coming year.
More help is also on the way for state and local governments nationwide, as DHS announced yesterday (on an MS ISAC call) that additional resources will be coming soon to help state and local governments in new ways with cybersecurity projects that implement the new Framework. The exact details of these new plans will be announced later in February – possibly at the RSA conference in San Francisco.
These Cybersecurity Framework implications, activities and related topics will also be discussed in a panel that I will be on at RSA. Panel details can be viewed at: http://www.rsaconference.com/events/us14/agenda/sessions/1069/government-x-2-state-and-federal-collaboration-on
In the meantime, I urge readers to visit the DHS website describing the Critical Infrastructure Cyber Community C³ Voluntary Program, which describes upcoming outreach activities and next steps in implementing the Framework.
Organizations may access the C³ Voluntary Program website at http://www.us-cert.gov/ccubedvp or contact the C³ Voluntary Program at firstname.lastname@example.org.
Most of all – read the new NIST Framework for Improving Critical Infrastructure Cybersecurity.
Afterward – become engaged in improving the critical infrastructure cybersecurity for your enterprise.
Update on Feb 18, 2014: The White House has posted a list of quotes from leading private sector and government leaders that support the new Cyber Framework from NIST. The list of quotes can be seen at: http://www.whitehouse.gov/sites/default/files/docs/cybersecurity_framework_-_what_others_are_saying.pdf