Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.
The framework consists of a core set of activities, outcomes and references that are common across critical infrastructure industries. Also included are implementation tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics of the framework, as well as a framework profile that aligns standards, guidelines, and practices to the framework core in any particular implementation scenario.
Among the key changes made to the preliminary version is the elimination of a controversial privacy appendix, which many critical infrastructure owners found overly expansive. Instead, softer suggested privacy methodology is now incorporated into a section that provides guidance on how to use the framework.
Another important change is the elimination of any language referring to the "adoption" of the framework. Earlier versions referenced adoption of the framework, sparking many questions at NIST-run workshops and in formal comments regarding how to define adoption, a word that evokes regulation and is potentially contrary to the voluntary nature of the framework. Instead, NIST has emphasized the concept of "using" the framework to improve cybersecurity.
Finally, NIST has revamped its earlier section on areas for improvement in the framework and has instead produced a roadmap for improving upon the framework, covering topics such as authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects; privacy standards; and supply chain risk management.
The framework was widely praised at a high-profile release event in Washington, preceded by a statement from President Obama. The framework "is a great example of how the private sector and government can, and should, work together to meet this shared challenge," Obama said, adding that much more work needs to be done on cybersecurity, particularly the need for Congress to pass legislation that provides greater legal protection to spur greater cybersecurity information sharing.
Michael Daniel, Obama's cybersecurity coordinator, echoed at the launch event the need for congressional action, saying that "the threats are only becoming more sophisticated [a]s our adversaries become more capable in their offenses."
Accolades for the framework poured in from numerous companies and trade associations following its release. "This guideline provides a flexible structure that can help organizations improve information security protection programs to manage risks to industrial control and information systems," Rockwell Automation CEO Keith Nosbusch said in a statement.
The Information Technology Industry Council congratulated NIST for providing a model of effective public-private collaboration. "In effect, the U.S. Government leveraged a tremendous amount of stakeholder input in an open, transparent, and collaborative manner, to create a major cybersecurity policy initiative," Danielle Kriz, Director of Global Cybersecurity Policy for the group said in a blog post.
Even groups that take a wait-and-see attitude remarked upon the effective manner in which the framework was produced. "While we are still reviewing the voluntary cybersecurity framework, we commend the efforts by NIST and the Administration to work collaboratively with the wireless industry on this important issue," Steve Largent, CEO of CTIA-The Wireless Association said in a statement.
NIST's open and collaborative approach has been widely credited as the reason that a potentially useful and broadly accepted framework could be produced with thousands of participants across sixteen diverse critical infrastructure industries in a tight twelve-month time span. "It's the White House being the mother to the rest of the federal government saying 'everybody get in line and make it work,'" Jack Whitsitt, Principal Analyst for EnergySec said. "It's a monumental shift in the public private partnership."
Although NIST plans to continue playing an important role in the framework, the action now shifts to the Department of Homeland Security (DHS) and sector specific government agencies to refine the framework, encourage its use, and develop incentives for critical infrastructure providers to follow it. The main venue for continued work on the framework will be the recently formed Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program housed at DHS.
And some critical infrastructure providers and technology suppliers fear that what they characterize as the less collaborative, more closed and more political environments of DHS and the sector agencies could undercut the work NIST produced through its wide open approach. "It's not necessarily the best situation," one critical infrastructure provider said. "They have not yet effectively found a way to address people who inject the upstream vulnerabilities," he said, noting that the voluntary program excludes a lot of participants by the nature of its charter.
The narrower nature of the DHS program can actually reduce cybersecurity by locking out some would-be players in the process, some say. Ensuring that industry suppliers and outsiders have a seat at the table was reinforced at the launch event yesterday. "I think any large company that isn't imposing cybersecurity standards on their supply chain has a vulnerability they don't know about," AT&T CEO Randall Stephenson said. "We have a higher dependency than we ever have had in history on vendor supplied software," Joe Rigby, CEO of electric utility Pepco said.
Others say that DHS has demonstrated flexibility in opening up its process. "So far there is every indication that the government is coordinating with the industry and other government agencies," one critical infrastructure owner representative said. "I think we're at a very good starting point and process that is designed to be industry-led, market-driven and flexible."
DHS counters the notion that any further framework development will occur in a much more closed environment. "We have learned a lot in working closely with NIST on the development of the framework," Bob Kolasky, who spearheads the C3 group at DHS, said. "As we go forward with C-cubed to support framework adoption, we will...emphasize a partnership that involves multiple levels of government, a disparate group of industry, regional stakeholders, and non-profits and academia. In doing so, we'll strive to make sure we keep the entire critical infrastructure community involved and use open and transparent methods to do so."
Another concern is that the framework fails to prioritize cybersecurity spending. "Where do I spend my next marginal dollar?" Larry Clinton, head of the Internet Security Alliance asked. "The framework doesn't tell them. I think in two years we're not going to see a substantial reduction in anything."
One group, Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), is worried that the framework misses a very important first cybersecurity step: situational awareness. "The framework is largely a reflection of existing standards and practices and situational awareness is not as completely spelled out as it should be in the long run," Chris Blask, Chair of the ICS-ISAC said.
These and other concerns will continue to be aired under NIST's auspices over the coming months as it continues to fulfill a role as a "convener" as it hand off responsibility to other government groups. NIST may also host another public workshop in the next six months to review stakeholder experience, implementation progress and questions around long-term governance with what it calls Version 1.0 of the framework.
Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.