Cybersecurity Framework, Related DHS Program Still Works in Progress, Officials Say
White House officials praised the recently released “Version 1.0” Cybersecurity Framework Friday, saying the framework and a voluntary Department of Homeland Security program meant its industry adoption could be a “major shift” in U.S. cybersecurity tactics despite their reliance on existing standards and federal programs. The National Institute of Standards and Technology (NIST) released the framework Wednesday, culminating a yearlong development process in conjunction with industry stakeholders. DHS simultaneously announced the start of its Critical Infrastructure Cybersecurity Community (C3) program, which the department said will provide industry with a consolidated point of access to existing DHS cybersecurity resources meant to help facilitate development of cyberrisk management (WID Feb 13 p1).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
White House Cybersecurity Coordinator Michael Daniel said during a USTelecom event that continued industry participation is vital to the framework’s efficacy. The framework itself is a “living document” that will require regular revisions, while the C3 program “needs to grow and reflect, in partnership with industry, what is needed in order to actually implement the framework,” he said.
NIST will continue to facilitate revisions to the framework for the foreseeable future -- including holding workshops akin to the five it held on the framework last year -- though the White House believes all stakeholders should take time to review how the framework operates in real time “before we even think about tweaking it,” Daniel said. Adam Sedgewick, NIST senior information technology policy adviser, said the agency believes the real test now is seeing how industry stakeholders use the framework, saying “having a set of common practices will allow a set of conversations to occur that may not have happened before.”
NIST will continue to play a role in framework development for now, but the White House is exploring spinning that role off to a nongovernmental entity at some point, Daniel said. “We all view that it would be much better if this is something that industry could own and continue to drive,” he said. Any decision to take that step would not be immediate and would come after rigorous consultation with stakeholders, Daniel said.
DHS sees the C3 program as a way to consolidate its outreach efforts to stakeholders, including the critical infrastructure sector coordinating councils and sector-specific information sharing and analysis centers, said Jenny Menna, director of DHS’s Stakeholder Engagement and Cyber Infrastructure Resilience division. DHS will also use the C3 program to work with the U.S. Chamber of Commerce to collaborate with small- and medium-sized businesses that hadn’t traditionally participated in the federal cybersecurity discussion. The department will also use C3 to work on cybersecurity outreach to state and local governments, Menna said. The services DHS is offering through C3 were all existing departmental programs, such as the Cyber Resilience Reviews. DHS is, however, tailoring those programs to align with the framework, Menna said. The department knows “we need to get feedback,” she said. “We're planning to grow and improve and make this better going forward. We need to get feedback from the community about what is and isn’t working with the program, what your needs are that we aren’t yet meeting and how we can build those together."
The White House plans to release a “road map” in the coming months that will guide action on possible incentives to encourage framework adoption, said Samara Moore, the White House National Security Staff’s director-critical infrastructure. That road map would follow months of reviews by federal agencies on the feasibility of a set of eight incentive categories the White House released in August. The White House believes incentives are important but are “icing” on top of more critical market factors that will drive industry adoption, Daniel said.
Ari Schwartz, the White House National Security Staff’s director-cybersecurity privacy, civil liberties and policy, said he believes the importance of additional incentives “has been overstated,” saying “we're moving in the right direction already, even with limited incentives.” Additional incentives will certainly be helpful, but “it’s proving to not be as essential as certain commentators” claimed, Schwartz said.