Cybersecurity Framework: What's Next?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/cybersecurity-framework-whats-next-a-6508

Now that the cybersecurity framework has been released, security experts
are pondering whether the voluntary approach to following the guidance
might eventually need to be replaced by some sort of mandate.

The framework, which the National Institute of Standards and Technology
released Feb. 12, provides best practices for use in all critical
infrastructure sectors, including, for example, government, healthcare,
financial services and transportation. The catalog of tools is designed to
help organizations develop information security protection programs (see:
NIST Releases Cybersecurity Framework).

During a panel discussion on the framework at the National Press Club in
Washington Feb. 14, government officials addressed the issue of whether
framework compliance could become mandatory for government contractors. And
representatives of various industries offered their perspective on the key
factors that will determine whether the voluntary approach will have
long-term viability.

For the federal government, the framework will prove useful when assessing
the security activities of contractors, says Samara Moore, director of
critical infrastructure for the White House National Security Council Staff.

When asked about whether following the framework might become a contractor
mandate, she references a joint report by the General Services
Administration and Department of Defense that addresses cybersecurity
around acquisitions. "The report included a set of recommendations on how
we can better manage cyber-risk through government procurement efforts,"
Moore says.

As part of that effort, federal officials will issue a request for
information to see how the framework can best be used to help influence how
the government is managing cyber-risk through procurement, she says.

Business Leaders Offer Views

As for whether following the framework will ever be mandatory for other
entities that support the nation's critical infrastructure, Angela McKay of
Microsoft stresses that depends on whether the private sector can
successfully implement they framework as a voluntary set of security best
practices.

"A lot of customers here in the U.S. are assuming regulation is coming,"
says McKay, Microsoft's director for cybersecurity policy and strategy.
"That's the mindset they're operating in. It's up to us to demonstrate that
an industry-driven, standards-based approach can demonstrably improve
cybersecurity."

Doug Johnson, vice president and senior adviser of risk management policy
at the American Bankers Association, notes: "Over time, we'll see whether
or not there's increasing push toward making some of this mandatory. ...
It's up to us in the private sector to do what we can to keep that from
happening" by voluntarily adopting the framework.

Moore reiterated the White House's position on the framework. "We're not
looking and pushing for new regulations here," she says. "We're really
promoting a voluntary approach and voluntary use of the framework."

In a conference call with news media on Feb. 12, one senior administration
official noted: "We wanted this framework to be voluntary, and that was
important because it encourages the widest possible set of stakeholders to
come to the table and work with us. It also ensures that the muscle in this
approach comes from the companies themselves."

The success of the framework will be measured by how many organizations
actually use it and whether it, indeed, "reduces cybersecurity risk," says
Adam Sedgewick, the NIST executive who led the creation of the framework.

Ari Schwartz, director for cybersecurity privacy, civil liberties and
policy at the White House, says the government has already heard from large
organizations that are leveraging the framework.

"We're hearing from companies that are voluntarily committing to do that
with their entire supply chain, requiring they use the framework in their
risk management process and demonstrate how they're doing that," he says.

Incentives

Last year, during development of the framework, a list of potential
incentives was released for review, but they were not included in the
document released Feb. 12. Those included, for example, grants and
liability limitations for those adopting the framework.

"We'll be soliciting feedback on incentives through the program," White
House Cybersecurity Coordinator Michael Daniel says. Over the next few
months, more details about potential incentives will be shared, he says.

"Incentives will help and that's the reason we're spending a lot of time on
it," Schwartz adds. "But because of great support we've had from industry,
it's proving not to be as essential as some commentators have said it would
be."

Help with Implementation

In conjunction with the release of the framework, the Department of
Homeland Security announced its Critical Infrastructure Cyber Community
program, also known as C³ Voluntary Program, which is designed to
coordinate cross-sector cybersecurity efforts.

The program's website says the focus during the first year will be to
engage with organizations in various sectors to develop more guidance on
how to implement the framework.

In addition, the program will offer "cyber-resilience reviews," free
assessments of an organization's information technology resilience. The
reviews can be a self-assessment or facilitated in-person, according to a
senior Obama administration official.

The C³ Voluntary Program also will offer information on threats and
vulnerabilities, as well as resources for how to respond to cyber-incidents.

"We recognize there isn't a one-size-fits-all approach," said Jenny Menna,
director of stakeholder engagement and cyber infrastructure resilience
division at the Department of Homeland Security. "There are different needs
across the community here. We need to get feedback about what's working
with the program, what the needs are for the program and how we can build
that in."

Framework's Future

Once organizations begin using the framework, NIST plans to integrate
lessons learned into future versions of the document. "NIST [plans] to hold
workshops and meetings to support use of the framework and address specific
areas for further development and alignment," Daniel says. "Feedback on the
framework in practice will be invaluable."

Federal officials will also be traveling around the country to promote the
framework over the next three months, Daniel says. "Kick the tires, try it
out, and see where it works and where it doesn't," he says. "That's the
only way we can make it better over time."

Another key next step is addressing sector-specific needs, says NIST's
Sedgewick. The framework, he says, was written to be viewed broadly, making
it applicable for organizations in all industries. "There's lots more work
to think about sector-specific needs," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!