The joint effort, by the National Institute of Standards and Technology and a variety of industry groups, is expected to yield a preliminary version of voluntary standards in October.
Although NIST is the key federal organization responsible for hammering out the overall structure of the standards, its top official told Congress that an ongoing partnership with industry both during and after developing the framework is vital because it is industry that will have to apply the standards to protect privately owned critical infrastructure. It is a multi-stakeholder process that leverages the best of both sectors, NIST director Patrick D. Gallagher told the Senate Committee on Commerce, Science and Transportation on July 25. A key part of the effort is that the resulting standards are scalable and able to be applied globally.
[ Federal agencies are striving to meet their own cybersecurity requirements. Read Federal Agencies Graded On Cybersecurity. ]
There are three reasons for industry to lead the process, Gallagher said. The first is know-how and the ability to keep up with rapidly evolving technology. The second is that industry-led processes are more compatible with business. Third, industry-led standards can operate across global markets where government-only solutions cannot.
Speaking for private industry, Arthur W. Coviello Jr., executive chairman of RSA Security LLC, said that any successful government-private sector cybersecurity approach -- either the NIST standards or new proposed cyber legislation -- should consist of three points: It must be industry neutral and consistent, it must help increase investment in research and education, and Congress must move to lower the barriers that currently exist to sharing threat information between government and industry.
One of industry's key goals is the ability to share threat information in real time, said Dorothy Coleman, VP of tax, technology and domestic economic policy at the National Association of Manufacturers. She added that the association opposes any attempts to set up a static regulatory regime but supports the development of globally scalable, flexible standards.
From NIST's perspective, Gallagher noted that his organization works with the private sector to coordinate standard development and as a "corporate memory" for the federal government. It serves in the memory function by helping agencies coordinate their own IT efforts, he said.
Once a cybersecurity framework is in place, there might be a great incentive for firms to adopt it because it might provide a competitive advantage, Coviello told Congress. "It will be a business imperative for firms to protect themselves," he said.
The Obama administration in February issued an executive order mandating federal agencies to set up a cybersecurity framework, in response to the failure of a cybersecurity bill to pass in November. The president's order placed NIST at the center of the effort, which calls upon the private and public sectors to discuss the best ways to protect the nation's critical infrastructure from cyber attack.
Although pleased with the executive order, committee chairman Sen. John D. Rockefeller (D-WV) last week introduced a new cybersecurity bill based on input he received from industry leaders about what they wanted from cybersecurity legislation. The new effort is a follow-on to the failed bill, which stalled due to heavy resistance from the business lobby.
"NIST's job is to help American industry help itself," said Rockefeller.