White House cyber framework focuses on flexibility, risk for critical infrastructure providers

Wednesday - 2/12/2014, 4:15pm EST

Now that the National Institute of Standards and Technology and the Homeland Security Department released the cybersecurity framework for critical infrastructure providers Wednesday, agencies have until May to figure out how it fits into their regulations.

Executive branch agencies will review existing regulatory guidance and rules in their oversight areas, and in May propose changes that are prioritized and based on risk to mitigate threats and vulnerabilities, said Michael Daniel, the White House's cybersecurity coordinator during an event in Washington.

"The goal from the administration's standpoint is not to expand regulation. Our goal in this area is to streamline existing regulations, and wherever possible bring those regulations into alignment with the framework," Daniel said. "We are encouraging those agencies to focus on voluntary efforts and programs to support the adoption of the framework. For those sectors where regulations already exist, we're encouraging those agencies to engage in processes to support efforts to harmonize and align current regulations with the framework. Obviously, while we can't direct the independents to do anything, we've invited them to follow the same process."

"Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas."
- President Barack Obama
"Thanks to these efforts, companies now have a common, but flexible path forward to better secure their systems and also a meaningful way to measure their progress."
-Sen. Tom Carper (D-Del.)
"The framework represents an effective approach to cybersecurity because it leverages public-private partnerships."
-Dean Garfield, president and CEO of the IT Industry Council
"A voluntary, risk-based tool that can be utilized by a broad array of organizations."
-Renee James, president of Intel
Read more reactions to the cyber framework.

A senior administration official, who spoke on condition of anonymity, said agencies likely will engage with stakeholders as part of how they do normal oversight.

"It varies a lot depending on particular sector and agency involved. That work is going on right now across the different regulatory agencies," the official said.

The regulatory agencies also have been part of the process to develop the framework over the last year.

The much-watched and anticipated Framework for Improving Critical Infrastructure Cybersecurity focuses on risk management and flexibility to assist the nation's critical infrastructure providers and other businesses improve their cybersecurity.

The framework consists of three parts:

  • Core - A set of cybersecurity activities, outcomes and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.

  • Profile - Helps organizations align their cybersecurity activities with their business requirements, risk tolerances and resources.

  • Implementation Tiers - Provides a way for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

"At its core, the framework serves as bridge between business leaders and information security professionals. Together you can use this framework to gauge the appropriateness of your organization's cybersecurity investments," said Penny Pritzker, the Commerce Department secretary. "As such, if a business leader wants to do more to address cybersecurity, but doesn't know where to begin, the framework can be of great help. The overall goal of the framework is to help organizations align their policies, their technologies and their day-to-day business operations to better protect data and information technology systems. The framework is crafted in a way it can help any organization regardless of size, sophistication or level of cyber risk."

NIST has led the effort to bring together industry, academia and others to offer insights and comments on how best to create the best practices guide.

Vendors and associations alike praised NIST's efforts to bring the community together.

"The chamber has valued NIST's involvement with the cybersecurity framework as they have treated the business community as a genuine partner in identifying existing cybersecurity standards and practices that are effective in improving security and resilience," said Ann Beauchesne, the U.S. Chamber of Commerce's vice president of national security and emergency preparedness in an email statement. "Much still remains to be seen in terms of how the cyber framework is implemented and revised, especially the roles that regulatory agencies and departments will play."

Along with the framework, DHS launched the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of document.