In February 2013, President
Obama issued Executive Order 13636: Improving Critical Infrastructure
Cybersecurity. The order called for the development of a voluntary, risk-based Cybersecurity
Framework - a set of existing standards, guidelines and practices to help
organizations manage cyber risks. The executive order designated the National
Institute of Standards and Technology (NIST) to coordinate and lead this
NIST recently released a highly
anticipated framework, providing a common language to address and manage cyber
risk cost-effectively. The framework is designed to help organizations develop
information security protection programs based on business needs. It offers
best practices for voluntary use across critical infrastructure sectors
including government, healthcare, financial services and transportation
A few short months after the
release of the new framework, many unanswered questions remain, including: how
will the new policy affect the security of critical infrastructure, comparative
standards and those areas not currently classified as critical infrastructure? Below
are some of my thoughts on what you really need to know about the cybersecurity
framework and its trickle-down effects. This is the first of a three-part
series on this topic.
PART 1 - IMPACT
Q. How will the framework affect businesses?
What is the business incentive to adopt the guidance and will there eventually
be a certification attesting adoption of the framework?
The framework attempts to be a focal
point of all the standards and leading practices. However, the guidance is
optional at this point. I envision there will be a push from the insurance
communities and the vendor communities to provide some sort of "certification"
or "attestation" to your adherence/implementation of the framework. This could result
in the reduction of premiums for those that apply the framework to their
business, or establish a case for security negligence if the framework is not
implemented. Regardless of any need or requirement to implement the framework
in a business, the NIST report represents a positive collaboration between public
and private sectors. A common risk-based approach to security can add
additional layers of protection. Why not implement it?
Q. What industries will it impact the most and why? What industries are
directly impacted and which ones have indirect implications (e.g., providers,
suppliers, private sector, Information technology, communications sectors and
commercial technology products and services groups).
As the framework
was intended to address entities denoted as critical infrastructure, I believe it
will be applicable to all if both the public and private sector agree on a
lifecycle-based security paradigm. If it's
applicable for government entities (critical infrastructure, national
security), it will logically also stretch to those organizations that conduct
business with government entities. From there, I see it continuing to spread
down the proverbial food chain.
origin of the framework, I believe all organizations will be put in the
position to discuss "Why not implement it?" If your current program is built on
some of the underlying standards, you may be closer than you think to
implementation. In this case, the framework may simply provide a standardize mechanism
for you to discuss your program and manage continuous improvement.
Q. Will it have any effect and protect critical infrastructure
and enterprise from cyberattacks?
I believe the
framework will have a positive effect on both enterprise and critical
infrastructure alike. The positive effects will be driven from two vectors:
through both the introduction and the implementation of the framework. I'll
explain more in the next blog post addressing NIST Implementation.
the framework have serious impact on the security of critical infrastructure? What are the issues that remain that could
stifle the favorable movement of the country's security posture.
I believe it
will be a pillar in our nation's security plan. That said, the government will
be focusing on industries connected to national security. Items and industries
not tagged with this designation will have less pressure to adopt the
framework. To use this framework to its maximum benefit, those outside of
national security must also embrace and map their security business processes
to the framework.