On May 29 – 31, 2013, stakeholders throughout the critical infrastructure sectors gathered in Pittsburgh, PA to engage with the National Institute of Standards and Technology (NIST) as it continues to develop the Cybersecurity Framework under the authority of President Obama’s recent Executive Order on Critical Infrastructure Cybersecurity. Stakeholders will have two more opportunities to work with NIST — July 10 – 12 in San Diego, CA and in September (dates and location to be determined) — before preliminary and final versions of the Framework are published.
The recently concluded session was the second of four workshops on the Cybersecurity Framework. Over the course of three days, representatives from sectors such as electric, oil and natural gas, communications, chemical, critical manufacturing, and defense, as well as service providers and product developers, gathered at Carnegie Mellon University to participate in discussion sessions and hear from an array of speakers at plenary gatherings. Notably, NIST announced that the third workshop will be held at the University of California, San Diego and will focus on selecting individual components of the Cybersecurity Framework using the outputs of the second workshop. The final workshop will focus on preparing the preliminary draft of the Cybersecurity Framework in September 2013. NIST has not yet announced the location of the final workshop.
Prior to the workshop, NIST released an Initial Analysis of responses to the Request for Information (RFI) that it issued in February 2013 regarding current cybersecurity practices employed by stakeholders. This analysis documented NIST’s review of all responses to the RFI and identified the following.
- Framework Principles - characteristics and considerations the Framework must encompass according to the RFI responses including flexibility, understanding the impact of the Framework on global operations, and leveraging existing approaches, standards, and best practices.
- Common Points - practices identified by the responses as having wide utility and adoption such as engaging senior management, emphasizing "baseline security" (or core cybersecurity) practices that any organization should fulfill, understanding the threat environment, emphasizing cyber risk in the context of and in conjunction with overall business risk, encouraging separation of business systems and operational systems, and utilizing varying levels of maturity in order to accommodate entities of different sizes and needs to emphasize incident response and the need for a robust cybersecurity workforce.
- Initial Gaps - areas in which the RFI responses were not sufficient to meet the goals and directives of the Executive Order. Current gaps include metrics, privacy and civil liberties, use of tools, identification of dependencies, industry best practices, resiliency, and critical infrastructure cybersecurity nomenclature.
The Pittsburgh workshop fleshed out Common Points and filled in Initial Gaps. Workshop participants completed four tracks during the session, with a goal of identifying common practices, methods, and measures for each topic or subtopic. The tracks included:
- The Business of Cyber Risk;
- Threat Management;
- Cybersecurity Dependencies and Resiliency; and
- Progressive Cybersecurity: From Basics to Advanced Cybersecurity.
The workshop participants developed a number of outputs. For example, participants in the track regarding The Business of Cyber Risk contributed to a validated/updated list of relevant policy drivers for identifying, assessing, and mitigating cyber risk; successful implementation strategies; and useful metrics. Elsewhere, participants in the Progressive Cybersecurity track provided inputs for a validated list of maturity models, a validated list of “cybersecurity hygiene” activities, and a progressive list of cybersecurity activities. These outputs, which were not subject to review by workshop attendees, will next be subject to a determination of whether these practices support the core objectives of the Executive Order (i.e., that the Framework maintain business confidentiality, be flexible, repeatable, performance-based, cost effective, and technology neutral, be well-aligned with established performance measures, and afford appropriate protections for privacy and civil liberties). Finally, as part of the next workshop, candidate framework components will be selected from the filtered outputs.
NIST will post a summary of the Workshop Track outputs, as well as an illustrative outline of the framework, in June 2013.
Participants clarified during the workshop that the Framework must:
- Not conflict with existing regulatory requirements;
- Have content for multiple audiences and relate to business drivers;
- Take a modular approach to allow for differences between businesses and industries;
- Refer to existing frameworks, standards, guidelines and practices; and
- Engage business executives (as failure to do so could result in low buy-in vis-à-vis adoption of the Framework).
NIST also identified common themes during the workshop, including:
- The need to clearly define risk management accountability and responsibility;
- Recognition of the need for additional work to identify unique privacy and civil liberties needs specific to critical infrastructure;
- Recognition that different types of dependencies must be addressed regarding technology, business partners, and processes;
- Identification of trained workforce needs;
- Acknowledgment that a modular Framework model is beneficial for identifying and prioritizing areas for potential investment and is ideal for scalability; and
- Recognition that foundational cybersecurity practices continue to be an identified gap regarding currently implemented practices.
Based upon the group discussions at the Carnegie Mellon workshop, NIST concluded that the Framework: (i) must recognize the connection between enterprise/mission and cybersecurity risk management; and (ii) must support cyber risk management in the context of individualized business decision-making. NIST also indicated, as part of effective and robust cyber risk management, that standards, guidelines, and common practices must be identified to understand, prevent, detect, respond, recover, and improve.
Venable will continue to closely follow NIST’s progress on the development of the Cybersecurity Framework, including the two remaining workshops. With a preliminary draft of the Framework in sight, readers may have questions about the potential impact the Cybersecurity Framework will have on their respective businesses. Venable’s attorneys are well-positioned to answer any such questions, having participated in and attended all relevant meetings conducted by NIST since the Executive Order was issued in February.