When President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” in February 2013, the National Institute of Standards and Technology (NIST) was tasked with delivering a critical component of the national cybersecurity policy. A year later — following extensive collaboration with a diverse mix of government and industry stakeholders — it released Version 1.0 of its Cybersecurity Framework.
Along with the voluntary framework, NIST published a roadmap for future work focused on continuous improvement. The Framework comprises industry standards and best practices — primarily existing standards and proven industry practices — designed to help organizations of every type and size manage their cybersecurity risk. In his 2015 CyberCrime Symposium presentation, Adam Sedgewick, NIST’s senior info technology policy advisor, outlined the Framework’s objectives, the collaborative effort that birthed it, NIST’s role as “convener” in the development process, and the agency’s plans for how that role will evolve.
EO 13636 is part of the Obama administration’s larger cybersecurity strategy, built-on five key priorities. In addition to its #1 objective — protecting the country's critical infrastructure from cyber-threats and increasing its resilience — these priorities are:
- Improving the ability to identify and report cyber incidents to ensure a timely response. A focus here, said Sedgewick, is ensuring the protocols are in place so organizations can share information on instances. It also requires processes and technologies to speed detection and procedures for responding in a way that minimizes damage.
- Engaging with international partners to promote Internet freedom and build support for an open, interoperable, secure, and reliable cyberspace. The Department of Commerce, which oversees NIST, invests significant effort to ensure the Internet becomes “an international body with multi-stakeholder governance” and that it doesn’t become fragmented by interoperability roadblocks, said Sedgewick.
- Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets. In the wake of the Office of Personnel Management breach, there’s heightened urgency surrounding this priority. “This continues to be a challenge, but one of our roles at NIST is working closely with other departments and agencies to improve cybersecurity practices,” Sedgewick said.
- Developing a cyber-savvy workforce and, in partnership with the private sector, moving beyond insufficient security mechanisms. This priority is two-pronged: The first objective is to replace traditional passwords and log-ins with better authentication methods. The second focuses on staffing, training, and education. “We need to develop a workforce where everyone understands their role in cybersecurity,” said Sedgewick. “Not only will organizations have cybersecurity professionals that understand critical infrastructure, but employees across the organization understand how to communicate, manage, and measure cybersecurity and risks.”
In line with its charter, NIST develops cybersecurity standards and guidelines for federal information systems. The NIST 800-53 publication, for instance, provides guidelines for specifying security controls for IT systems. As the world’s largest IT procurer, the federal government is able to attract vendors willing to help develop standards. In turn, standards created by these open, public-private partnerships encourage voluntary adoption by industry.
However, Sedgewick added, as industry closes the procurement gap and the federal IT infrastructure more closely resembles that of the private sector, NIST is continually exploring new ways to partner with industry.
The Cybersecurity Framework, he said, is emblematic of this evolving partnership, as is NIST’s new Applied Cybersecurity Division, which oversees the National Cybersecurity Center of Excellence (NCCoE). Among other duties, the center’s laboratory engineers work with tech providers to define end-to-end security solutions for specific industries. In late 2015, the NCCoE released a draft practice guide to help the financial sector institutions more securely manage their IT assets.
NIST, Sedgewick says, strives to be a neutral body that helps government and industry match business problems with technology solutions. “I think one of the reasons industry likes working with us is because we are, as my boss puts it, ‘aggressively non-regulatory.’ We want people to adopt our standards and guidelines because it helps them with their mission, not because someone requires them to do it.”
Wade In, Then Weigh In
Like the numerous workshops and forums NIST held to get the stakeholder input needed to develop the Framework, the agency is providing organizations plenty of mechanisms for providing post-launch feedback on Version 1.0. In December 2015, it issued an RFI designed to help it understand how adopters are using the framework, as well as to capture suggestions for possible improvements and options for its long-term management. NIST will cover the information gathered at a follow-up workshop slated for April 2016. People can also provide informal feedback by emailing NIST at firstname.lastname@example.org.
“We want to have these conversations,” Sedgewick told symposium attendees. “If there are things you really don't like about the Framework, you have a perfect opportunity to sound-off and tell us how to make it better.”
He also advised the audience to remember what the Framework is—and what it’s not.
“It’s not intended to be a checklist or compliance framework. It’s designed to provide a methodology and means for understanding ways to manage cybersecurity risks, and to complement an organization’s existing cybersecurity operations and standards.”
This is the 7th in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. If you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” you can read the entire series here.