The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.
The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.
Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.
The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.
[Experts believe NIST's voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators. Read NIST Cybersecurity Framework: Don't Underestimate It.]
The framework is built on three basic components:
- Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.
- Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.
- Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.
The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties.
Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.
Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.
Although the framework is voluntary and will depend primarily on "enlightened self-interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.
But one White House official said during a briefing, "The goal is not to expand regulation."
Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.
Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.
Focus on resilience
In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.
Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.
President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.
Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."
Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.
A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.