Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
White House cyber framework focuses on flexibility, risk for critical infrastructure providers
Wednesday - 2/12/2014, 4:15pm EST
Now that the National Institute of Standards and Technology and the Homeland Security Department released the cybersecurity framework for critical infrastructure providers Wednesday, agencies have until May to figure out how it fits into their regulations.
Executive branch agencies will review existing regulatory guidance and rules in their oversight areas, and in May propose changes that are prioritized and based on risk to mitigate threats and vulnerabilities, said Michael Daniel, the White House's cybersecurity coordinator during an event in Washington.
"The goal from the administration's standpoint is not to expand regulation. Our goal in this area is to streamline existing regulations, and wherever possible bring those regulations into alignment with the framework," Daniel said. "We are encouraging those agencies to focus on voluntary efforts and programs to support the adoption of the framework. For those sectors where regulations already exist, we're encouraging those agencies to engage in processes to support efforts to harmonize and align current regulations with the framework. Obviously, while we can't direct the independents to do anything, we've invited them to follow the same process."
|"Although the threats are serious and they constantly evolve, I believe that
if we address them effectively, we can ensure that the Internet remains an engine
for economic growth and a platform for the free exchange of ideas."
- President Barack Obama
|"Thanks to these efforts, companies now have a common, but flexible path
forward to better secure their systems and also a meaningful way to measure their
-Sen. Tom Carper (D-Del.)
|"The framework represents an effective approach to cybersecurity because it
leverages public-private partnerships."
-Dean Garfield, president and CEO of the IT Industry Council
|"A voluntary, risk-based tool that can be utilized by a broad array of
-Renee James, president of Intel
|Read more reactions to the cyber framework.|
A senior administration official, who spoke on condition of anonymity, said agencies likely will engage with stakeholders as part of how they do normal oversight.
"It varies a lot depending on particular sector and agency involved. That work is going on right now across the different regulatory agencies," the official said.
The regulatory agencies also have been part of the process to develop the framework over the last year.
The much-watched and anticipated Framework for Improving Critical Infrastructure Cybersecurity focuses on risk management and flexibility to assist the nation's critical infrastructure providers and other businesses improve their cybersecurity.
The framework consists of three parts:
- Core - A set of cybersecurity activities, outcomes and informative
references that are common across critical infrastructure sectors, providing the
detailed guidance for developing individual organizational Profiles.
- Profile - Helps organizations align their cybersecurity activities with
their business requirements, risk tolerances and resources.
- Implementation Tiers - Provides a way for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
"At its core, the framework serves as bridge between business leaders and information security professionals. Together you can use this framework to gauge the appropriateness of your organization's cybersecurity investments," said Penny Pritzker, the Commerce Department secretary. "As such, if a business leader wants to do more to address cybersecurity, but doesn't know where to begin, the framework can be of great help. The overall goal of the framework is to help organizations align their policies, their technologies and their day-to-day business operations to better protect data and information technology systems. The framework is crafted in a way it can help any organization regardless of size, sophistication or level of cyber risk."
NIST has led the effort to bring together industry, academia and others to offer insights and comments on how best to create the best practices guide.
Vendors and associations alike praised NIST's efforts to bring the community together.
"The chamber has valued NIST's involvement with the cybersecurity framework as they have treated the business community as a genuine partner in identifying existing cybersecurity standards and practices that are effective in improving security and resilience," said Ann Beauchesne, the U.S. Chamber of Commerce's vice president of national security and emergency preparedness in an email statement. "Much still remains to be seen in terms of how the cyber framework is implemented and revised, especially the roles that regulatory agencies and departments will play."
Along with the framework, DHS launched the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of document.