Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
White House details initial ideas for industry cyber incentives
Wednesday - 8/7/2013, 6:28am EDT
The departments of Commerce, Homeland Security and Treasury submitted suggestions to the White House on what incentives the government can offer to induce critical infrastructure providers to use the cybersecurity framework to improve their systems and networks.
"The recommendations were developed in a relatively short time frame and with the understanding that the Cybersecurity Framework and Voluntary Program are still under development," wrote Michael Daniel, the White House cybersecurity coordinator, in a blog posted Tuesday. "Yet, they incorporate significant feedback from many of our stakeholders, including the critical infrastructure community, through the DHS-led existing public-private partnerships with critical infrastructure, and a Notice of Inquiry issued by the Commerce Department."
President Barack Obama called for the framework in his February 2013 executive order. NIST will complete the draft framework by October and finalize it by February.
NIST has held a series of listening sessions to gather feedback on the framework. The next one is scheduled for Sept. 11 in Dallas.
Additionally, the General Services Administration released a request for information to the public in May asking for comments or suggestions on which acquisition incentives would help get companies to adopt the cybersecurity framework.
Daniel wrote the three agencies came up with eight recommendations:
- Cyber insurance: The government should work with the insurance industry to
"build underwriting practices that promote the adoption of cyber risk-reducing
measures and risk-based pricing and foster a competitive cyber insurance market."
- Grants: Over the next six months, agencies will develop weighted criteria to be
used in federal grant applications.
- Process preference: The government would put companies participating in the
voluntary program on a priority list to deliver services, and provide technical
assistance more quickly to critical infrastructure providers as needed. "As we
work with the private sector over the next six months to develop the Voluntary
Program, we will simultaneously identify and examine specific programs where this
approach could be helpful."
- Liability limitation: Agencies identified a range of areas where more
information is necessary to determine if legislation to reduce liability on
program participants may be necessary. These areas include reduced tort liability,
limited indemnity, lower burdens of proof, or the creation of a federal legal
privilege that preempts State disclosure requirements.
- Streamline regulations: The goal would be to make compliance easier for
program volunteers by, for instance, eliminating overlapping laws and regulations,
enabling equivalent adoption across regulatory structures and reducing audit
- Public recognition: DHS would come up with ways to highlight those companies
implementing the framework.
- Rate recovery for price regulated industries: The idea is to see if state and
local regulators would consider letting utilities recovery money for cyber
investments made to comply with the framework.
- Cybersecurity research: Agencies would identify areas where commercial hardware and software are available to implement the framework and where the gaps exist. The government would emphasize those gaps in research and development opportunities.
"Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders," Daniel wrote. "We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations. Publishing these agency reports is therefore an interim step and does not indicate the administration's final policy position on the recommended actions."
Larry Clinton, the president and CEO of the Internet Security Alliance, applauded the White House's release of the incentive suggestions.
Clinton said in a release that the incentives "will provide the sustainable fuel to power the engine of enhanced standards and practices being developed by NIST pursuant to the President's Executive Order."