(Washington, DC) The National Institute of Standards and Technology (NIST) will release on Wednesday its final version of a comprehensive cybersecurity framework mandated by President Obama’s February 2013 cybersecurity executive order, with the final version containing few surprises, a NIST official said yesterday. “Hopefully there won’t be many surprises,” Adam Sedgewick, NIST’s chief organizer of the framework process told attendees at the winter meeting of the National Association of Regulatory Utility Commissioners (NARUC) held here.
Since its fifth workshop on the framework in early November, NIST has fielded 2,500 separate comments on a preliminary version of the framework and posted a mid-January update on the changes the agency will incorporate as a consequence of the feedback. The release of the framework at a White House event on Wednesday (with publication in the Federal Register on the 13th) comes exactly a year to the date following the executive order, an intensely compressed time frame given the magnitude of the topic.
“We went in without a net without thinking about what the framework would look like at the end of the day,” Sedgewick said. Although the framework is “final,” NIST and government officials refer to it as the 'framework 1.0,' signifying the need for continued evolution as the framework is used by critical infrastructure owners. "From my perspective, there will always be more work to do on this issue.”
Once NIST puts the framework out, the Department of Homeland Security (DHS) will be primarily responsible for promoting its use, mostly through a public-private working group known as the voluntary program. “The voluntary program will be our primary vehicle for promoting the framework,” Bob Kolasky, Director of Strategy and Policy, Office of Infrastructure Protection at DHS said. “It is our key next step for how we're going to work with folks like you on how to use the framework.”
One critical infrastructure player, electric utility Pepco, already plans to change its procedures as a result of the framework, Susan Mora, Director of Federal Regulatory affairs at the utility said. Specifically Pepco will reorganize its core cybersecurity functions to match those contained in the framework (which are Identify, Protect, Detect, Respond, and Recover). Pepco has also volunteered to become one of the first utilities to which the framework will be applied.
Although the framework and the rest of the executive order are positive steps, a major stumbling block to better cyber protection is Congressional inability to pass a cybersecurity bill which would enhance information sharing among government entities and critical infrastructure owners, Mora said. “I think the executive order is a great piece. It checks box one which is standards and practices. [But] there are other boxes that need work. I can't tell you how disappointed I am on the information sharing front.”
State regulators play a key role in how the framework is used by utilities, primarily through the approval of cybersecurity expenses in public utility rate-making proceedings. But “rate cases appear to be a dysfunctional pathway for appropriate cybersecurity,” industry consultant Andy Bochman told the utility commissioners in a presentation. The adversarial culture surrounding the approval of rate increases can derail the reality of better cybersecurity, which both utilities and regulators seek as a shared goal.