NIST Cybersecurity Framework Gets a Lot of Love from Congress in Oversight Hearings


Over the past eight days both the House of Representatives and the Senate have held oversight hearings on the voluntary critical infrastructure cybersecurity framework that the National Institute of Standards and Technology (NIST) is developing pursuant to President Obama’s February 12, 2013 executive order.   On July 18, the House Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on the development of the framework, which was followed by a Senate Commerce Committee hearing yesterday on the partnership between NIST and the private sector to hammer out the framework.

Little in the way of controversy or news emerged during either hearing, with both arms of Congress expressing strong support for the NIST initiative, which will appear in preliminary form in October and final form in February 2014.  “I believe that the outline of NIST’s framework provides an important step to increasing our nation’s awareness and ability to protect our networks from crippling cyber attacks,” House Subcommittee Chairman Patrick Meehan (R-PA) said.

“Getting NIST involved in cybersecurity makes a lot of sense, because NIST already has decades of experience working with the private sector on computer security issues,” Senator Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee said.  Rockefeller along with Ranking Member John Thune (R-SD) have introduced a bill, The Cybersecurity Act of 2013, that will codify into law the voluntary framework that NIST produces, legislation that Rockefeller said yesterday will go to mark-up before Congress recesses in August.

All of the witnesses at both hearings said that the framework process is humming along nicely.  “I’m actually quite excited by the progress we have made and the response we’ve got from the private sector,” Charles Romine, Director of NIST’s Information Technology Laboratory told the House Subcommittee, referring to the three workshops NIST has held with the private sector in developing the framework. “We’ve achieved over the course of a relatively short time a consensus on the framework.”

And all of the witnesses said that the framework is an excellent initiative to tackle the cybersecurity challenges that industry and government face.  “The approach to the cybersecurity framework set out in the executive order will allow  industry to protect our nation from the growing cybersecurity threat while enhancing America’s ability to innovate and compete in a global market,” NIST Director Patrick Gallagher told the Senate Committee.

A few interesting points were briefly touch upon in both hearings.  The first is whether Congress should recommit to passing comprehensive cybersecurity legislation.  During the waning days of the last Congress, efforts to pass tougher cybersecurity legislation were derailed in the face of opposition by both industry interests and privacy advocates, prompting President Obama to issue his executive order to compensate for the failure.

“I have concerns that a self-assessment may not be sufficient to incentivize action to bolster cyber defenses,” Rep. Meehan said during the Subcommittee hearing, referring to the public-private partnership underlying the voluntary standards. “Ultimately, I believe it is the consensus of this committee that Congress must pass legislation, in order to address many of these outstanding issues.”

Meehan was specifically referring to cyberthreat information-sharing among private sector and government entities which most experts believe requires an act of Congress.  Rockefeller, who is also a member of the Senate Intelligence Committee, said during yesterday’s hearing that the Intelligence Committee plans to introduce a bill that would permit and facilitate information sharing.

A related issue is the degree to which the voluntary standards should ever become mandatory requirements either through legislation or existing or new regulatory authorities.   “If we can create confidence in the marketplace [with the framework] then I don’t think government needs to get involved,” Robert Kolasky, Director of the Integrated Task Force assigned with implementing the executive order at the Department of Homeland Security, told the House Subcommittee.

As to whether regulatory or other government agencies can enforce the framework in some fashion through their existing authorities, a subject of examination under the executive order, “until the agency actually tries to create regulations one doesn’t really know what’s going to happen,” Eric Fischer, Senior Specialist at the Congressional Research Service told the House Subcommittee.  “If they do have the authority they may do it anyway.”

NIST Closer to Solidifying Critical Infrastructure Cybersecurity Framework


The National Institute of Standards and Technology (NIST) held in San Diego last week the third of four workshops to develop a comprehensive cybersecurity framework for critical infrastructure as required under an executive order signed by President Obama on February 12, 2013.  As my latest piece for CSO discusses, it won't be clear what the 500 participants produced until NIST releases its summary document later this month.

But several cracks in the process continued to emerge during the workshop, including doubts about whether NIST is trying to recreate the wheel, whether enough critical infrastructure sectors are actually participating in the process, whether DHS and NIST are coordinating well enough and whether this whole thing might slip from the voluntary to the mandatory category.

Check out the piece here.

DHS Official: Napolitano Departure Won't Delay Cybersecurity EO or PPDTasks


(La Jolla, CA)  A top Department of Homeland Security (DHS) official involved in a number of initiatives flowing from President Obama's February 12 cybersecurity executive order (EO) and Presidential Policy Directive (PPD) said today that the impending departure of DHS Secretary Janet Napolitano shouldn't delay any of the time-sensitive and crucial tasks assigned to DHS under the EO and PPD.  

At a workshop hosted here at the University of California, San Diego (UCSD),  Robert Kolasky, Director of the DHS Integrated Task Force, said in an interview that (acting) DHS Deputy Secretary Rand Beers "is well familiar with the work involved.  I don't anticipate any delays."  The workshop, run by the National Institute of Standards and Technology, was a key event in the development of a voluntary critical infrastructure cybersecurity framework. Napolitano is leaving DHS in September to run the University of California system (UCSD is part of that system although the NIST workshop and Napolitano's new role are unrelated).

As the table below highlights, not only has DHS been assigned a central coordinating role in both the the EO and PPD, it also has a number of fast-track tasks that must be completed prior to Napolitano's departure.  DHS officials say that the agency has fulfilled its obligations on all of the tasks in that it has submitted to either the President or the Office of Management and Budget (OMB) required reports and materials by the specified deadlines that have occurred to date.  None of the reports listed in the table below have been made public yet, although Kolasky said that at least one of the reports, recommendations on the incentives critical asset owners need to participate in the new wide-ranging security efforts, will be made public by the end of July.

NIST Gets Down to Brass Tacks on Cybersecurity Framework in San Diego


Starting tomorrow in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors.

As the first in a series of articles I've been commissioned to write for CSO Magazine discusses, the NIST process faces a host of challenges, including CEO apathy, government agency rivalry and asset owner fear of vendor dominance.  Still, most of the major players say everything is on track and proceeding as expected.

Check out the article here.

Twitter Delicious Facebook Digg Stumbleupon Favorites More