NIST Developing New National Cyber Security Framework

Last February, President Obama issued Executive Order 13549: Improving Critical Infrastructure Cybersecurity. Its intent is to drive new levels of security into the critical infrastructure of the U.S., systems like dams, the power grid, transportation systems, etc. Many stakeholders, both public and private, had input into shaping the EO and its directives. It is controversial, but like it or not, it has created a lot of activity that could impact any business that uses the internet. For a good overview of the EO, see New rules for cybersecurity? Obama's executive order explained. You can read the EO itself here; the EO itself is only a few pages long.

In part, the EO charges the National Institute of Standards and Technology (NIST) with developing a national Cybersecurity Framework. The Framework will consist of standards, guidelines, and best practices to promote the protection of private information and information systems supporting U.S. critical infrastructure operations, while protecting business confidentiality, individual privacy and civil liberties. Adherence to the Framework will be voluntary—although there is deep skepticism by some that it will always remain so.

To kick off their efforts, in March NIST issued a public Request for Information (RFI) to industry, government agencies, standards-setting organizations, public-private partnerships, and other stakeholders, seeking information on how respondents currently manage cybersecurity risks within their organizations. Thankfully, NIST does not seem to be trying to re-create the wheel, instead they are cataloguing what’s already in use as the basis for the Framework.

I had the privilege of working on Intel’s response to the RFI, and spent six hectic weeks working with an incredibly talented team to formulate Intel’s corporate response to the huge RFI. At the same time, as an Intel representative to the Information Technology Sector Coordinating Committee (IT-SCC), a large public-private partnership, I also worked on their industry-based response with an equally talented group of industry peers. The experience has given me a lot of insight into how the Framework may develop, and along with many others I will be continuing to work with NIST throughout 2013 to build it.

The RFI consisted of 33 questions centered on three major areas:  managing cybersecurity, current standards and guidelines already in use, and specific security practices. Some typical questions were, “How do organizations define and assess risk generally and cybersecurity risk specifically?” and, “Do organizations have a formal escalation process to address cybersecurity risks that suddenly increase in severity?”  I was pleased to see privacy concerns were explicitly considered in several questions, such as, “What risks to privacy and civil liberties do commenters perceive in the application of these security practices?”

For the Intel response, we wanted to provide as much information as possible on what we know about cyber risk management, while of course also protecting Intel’s proprietary information. Depending on the topic, different experts were assigned to answer a question, then review their answers with a broader group of experts to ensure accuracy. Each answer also had to accurately reflect Intel’s key messages: Ever-changing cybersecurity risks call for flexible and nimble risk-management based solutions; international alignment and harmonization is essential; the Framework must comprehend global privacy and civil rights practices; it must be technology neutral and not proscriptive; and that cybersecurity is a shared responsibility, but industry should lead in developing cybersecurity standards and best practices.

Since most of us were fitting this work in with our regular jobs, it created quite a schedule crunch, but we completed the response by the aggressive deadline, April 8. You can read the Intel response in three parts: 1, 2, and 3. The IT-SCC response, which addresses broader IT industry concerns, can be found here.

The next NIST workshop will be held at Carnegie Mellon University in late May. At that workshop, contributors from all 18 critical U.S. infrastructure industries will see NIST’s first rough draft of what they gleaned from all the responses and what the Framework might look like. Should be an interesting discussion, to say the least. I am attending the workshop and will describe how it went in a future blog.