Assessing Whether Voluntary Approach to the Cybersecurity Framework Will Prove Viable
Now that the cybersecurity framework has been released, security experts are pondering whether the voluntary approach to following the guidance might eventually need to be replaced by some sort of mandate.
The framework, which the National Institute of Standards and Technology released Feb. 12, provides best practices for use in all critical infrastructure sectors, including, for example, government, healthcare, financial services and transportation. The catalog of tools is designed to help organizations develop information security protection programs (see: NIST Releases Cybersecurity Framework).
During a panel discussion on the framework at the National Press Club in Washington Feb. 14, government officials addressed the issue of whether framework compliance could become mandatory for government contractors. And representatives of various industries offered their perspective on the key factors that will determine whether the voluntary approach will have long-term viability.
For the federal government, the framework will prove useful when assessing the security activities of contractors, says Samara Moore, director of critical infrastructure for the White House National Security Council Staff.
When asked about whether following the framework might become a contractor mandate, she references a joint report by the General Services Administration and Department of Defense that addresses cybersecurity around acquisitions. “The report included a set of recommendations on how we can better manage cyber-risk through government procurement efforts,” Moore says.
As part of that effort, federal officials will issue a request for information to see how the framework can best be used to help influence how the government is managing cyber-risk through procurement, she says.
Business Leaders Offer Views
As for whether following the framework will ever be mandatory for other entities that support the nation’s critical infrastructure, Angela McKay of Microsoft stresses that depends on whether the private sector can successfully implement they framework as a voluntary set of security best practices.
“A lot of customers here in the U.S. are assuming regulation is coming,” says McKay, Microsoft’s director for cybersecurity policy and strategy. “That’s the mindset they’re operating in. It’s up to us to demonstrate that an industry-driven, standards-based approach can demonstrably improve cybersecurity.”
Doug Johnson, vice president and senior adviser of risk management policy at the American Bankers Association, notes: “Over time, we’ll see whether or not there’s increasing push toward making some of this mandatory. … It’s up to us in the private sector to do what we can to keep that from happening” by voluntarily adopting the framework.
Moore reiterated the White House’s position on the framework. “We’re not looking and pushing for new regulations here,” she says. “We’re really promoting a voluntary approach and voluntary use of the framework.”
In a conference call with news media on Feb. 12, one senior administration official noted: “We wanted this framework to be voluntary, and that was important because it encourages the widest possible set of stakeholders to come to the table and work with us. It also ensures that the muscle in this approach comes from the companies themselves.”
The success of the framework will be measured by how many organizations actually use it and whether it, indeed, “reduces cybersecurity risk,” says Adam Sedgewick, the NIST executive who led the creation of the framework.
Ari Schwartz, director for cybersecurity privacy, civil liberties and policy at the White House, says the government has already heard from large organizations that are leveraging the framework.
“We’re hearing from companies that are voluntarily committing to do that with their entire supply chain, requiring they use the framework in their risk management process and demonstrate how they’re doing that,” he says.
Last year, during development of the framework, a list of potential incentives was released for review, but they were not included in the document released Feb. 12. Those included, for example, grants and liability limitations for those adopting the framework.
“We’ll be soliciting feedback on incentives through the program,” White House Cybersecurity Coordinator Michael Daniel says. Over the next few months, more details about potential incentives will be shared, he says.
“Incentives will help and that’s the reason we’re spending a lot of time on it,” Schwartz adds. “But because of great support we’ve had from industry, it’s proving not to be as essential as some commentators have said it would be.”
Help with Implementation
In conjunction with the release of the framework, the Department of Homeland Security announced its Critical Infrastructure Cyber Community program, also known as C³ Voluntary Program, which is designed to coordinate cross-sector cybersecurity efforts.
The program’s website says the focus during the first year will be to engage with organizations in various sectors to develop more guidance on how to implement the framework.
In addition, the program will offer “cyber-resilience reviews,” free assessments of an organization’s information technology resilience. The reviews can be a self-assessment or facilitated in-person, according to a senior Obama administration official.
The C³ Voluntary Program also will offer information on threats and vulnerabilities, as well as resources for how to respond to cyber-incidents.
“We recognize there isn’t a one-size-fits-all approach,” said Jenny Menna, director of stakeholder engagement and cyber infrastructure resilience division at the Department of Homeland Security. “There are different needs across the community here. We need to get feedback about what’s working with the program, what the needs are for the program and how we can build that in.”
Once organizations begin using the framework, NIST plans to integrate lessons learned into future versions of the document. “NIST [plans] to hold workshops and meetings to support use of the framework and address specific areas for further development and alignment,” Daniel says. “Feedback on the framework in practice will be invaluable.”
Federal officials will also be traveling around the country to promote the framework over the next three months, Daniel says. “Kick the tires, try it out, and see where it works and where it doesn’t,” he says. “That’s the only way we can make it better over time.”
Another key next step is addressing sector-specific needs, says NIST’s Sedgewick. The framework, he says, was written to be viewed broadly, making it applicable for organizations in all industries. “There’s lots more work to think about sector-specific needs,” he says.
Follow Jeffrey Roman on Twitter: @gen_sec