The text below is taken from an email message to members of the Task Force on Cyber Risk from its chairperson
NIST has issued Request for Information (RFI) about the level of awareness of the Cybersecurity Framework by the organizations in the critical infrastructure and their initial experience with the Framework. The official title is Experience With the Framework for Improving Critical Infrastructure Cybersecurity. It was published in the Federal Register this morning (www.gpo.gov/fdsys/pkg/FR-2014-08-26/pdf/2014-20315.pdf).
This is not a direct action item for the Task Force, but it is relevant to our mission and worth monitoring by some of our members. The Framework, even though designed for critical infrastructure, may ultimately influence the general state of cybersecurity, and some of its elements may become or evolve into best practices used by enterprises that are not part of the critical infrastructure. In addition, any potential damage to parts of the critical infrastructure would likely have a significant impact on numerous enterprises that rely on this infrastructure and its reliable functioning.
In February of this year, NIST released the long-anticipated Framework for Improving Critical Infrastructure Cybersecurity. This is an important document that provides what has been described as “a consensus description of what’s needed for a comprehensive cybersecurity program.”
The framework was developed to comply with the Executive Order “Improving Critical Infrastructure Cybersecurity” issued by President Obama in February of 2013. The Executive Order directed NIST to lead the development of a framework to include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” NIST, working with other agencies and the industry, released its Version 1.0 of the Framework six months ago.
It is always difficult to measure the degree of adoption or even knowledge of a voluntary standard or methodology. The NIST Framework is voluntary. It’s made very clear that the Framework is not a one-size-fit-all approach to managing cybersecurity risk for critical infrastructure. The RFI by NIST is seeking information on the general awareness of the Framework by the critical infrastructure organizations as well as other parties, which sectors and organizations are actively planning to use the Framework or are already using it, how it is used, what areas require special guidance, whether cybersecurity governance is being changed as a result of the Framework introduction, what could be improved, whether the roadmap proposed for making improvements to the Framework is adequate and how it could be improved, and other related issues.
Relevance to our work
It is important to note (1) the voluntary nature of the Framework and (2) the intent to apply the Framework specifically to the critical infrastructure, which was taken into account in the development of the Framework.
This makes it easy to say that because of the scope limitation and its voluntary nature, the Framework is irrelevant to most of our work. After all, even many organizations in the critical infrastructure seem to have done little about the Framework so far, and some may have limited knowledge of it despite the great job NIST has been doing in promoting the Framework and looking for ways to improve it further.
However, if the Framework is going to be implemented, at least to some degree, by the critical infrastructure enterprises, ripple effects could influence the way cybersecurity is handled by other companies. This is a clear positive where some elements of the framework may be adopted outside of the critical infrastructure and improve cybersecurity. Of course, there is also a potential negative if the Framework, designed specifically for critical infrastructure, is pushed on other companies. If it’s done, even unintentionally, suboptimal cybersecurity decisions could be made. For example, a typical applicant for cyber insurance is not part of the critical infrastructure. If a cyber insurance application asks whether the applicant has adopted the NIST Framework, it may create an incentive to adopt at least some of its elements where a different approach may be more appropriate.
Also note the following question in the RFI: “Are organizations using the Framework to communicate information about their cybersecurity risk management programs—including the effectiveness of those programs—to stakeholders, including boards, investors, auditors, and insurers?” The question is addressed to organizations within the critical infrastructure, but their insurers are explicitly mentioned.
In addition, if the NIST Framework is ultimately widely implemented by the critical infrastructure organizations, there will be some effect on any enterprise that has direct or indirect business relationships with these organizations. There is a question in the RFI that touches on this: “Are organizations using the Framework to specifically express cybersecurity requirements to their partners, suppliers, and other third parties?”
Finally, there is no reason to exclude from our analysis the enterprises that are part of the critical infrastructure. They too are within the scope of our work.
Again, this is more of an informational item for the Task Force. It’s not an action item. The views and the interpretation above are my own. Please feel free to disagree. We’ve recognized from the very beginning that diverse viewpoints on many issues are represented on the Task Force on Cyber Risk, and we welcome this diversity—as long as a particular view you express is not attributed to the whole Task Force and its other members.
Note: This post serves the secondary purpose of testing our ability to utilize the blog feature of the site. I think it works. In the future, it should help us maintain a high degree of transparency that’s essential in this collaborative effort. Along with online collaboration tools at our disposal, it should also help to make the work of the Task Force on Cyber Risk more efficient. As we're preparing to start moving very quickly, all of these tools are needed. Alex Krutov