CSRIC Working Group 4 to Report Advancement on Cybersecurity Work
Communications Security, Reliability & Interoperability Council (CSRIC) Working Group 4 will be able to report at CSRIC’s meeting Wednesday that it has made “substantial progress” on its work to use the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework for communications sector needs, said Working Group 4 Co-Chair Robert Mayer in an interview.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Working Group 4 remains on track to release a final report and recommendations in March on communications sector use of the NIST framework for sector-wide cyber risk management, said Mayer, USTelecom vice president-industry and state affairs. The group is aiming to produce an interim draft report by mid-January for further review, he told us. CSRIC last met in June, when FCC officials ramped up pressure for the private sector to act on cybersecurity (CD June 19 p2).
Working Group 4 has modified its description to increase the focus on the report and recommendations it plans to produce, which will include “voluntary mechanisms” that will assure the FCC and the public that the communications sector is taking necessary steps to manage cybersecurity risk. Individual companies will be able to tailor those mechanisms to fit their needs and risks, Mayer said. The report will also include “meaningful” metrics for internal and external evaluations of companies’ cybersecurity risk management, he said. The mechanisms will have a strong foundational grounding in the principles included in the NIST framework, which has emphasized flexibility because “you'll never be able to align a particular process or technology with a threat in an environment that is as dynamic as this,” Mayer said.
Working Group 4 has recently increased its emphasis on developing metrics for evaluating cyber risk management, forming an additional feeder group to specifically explore metrics, Mayer said. That group began working two weeks ago, so its 15 members are still determining the best attributes of an effective metric, he said. A good set of metrics will connect enterprise risk management, sector risk management, multinational risk management and key indicators, Mayer said. “None of that has been established yet,” he said. “We recognize that using a measurement to validate progress is a complicated and complex task.”
Other feeder groups are examining other sector-specific issues like barriers to implementation of the NIST framework. The barriers feeder group is examining how factors like legal issues, operational issues and resource scarcity could affect companies’ ability to increase cyber risk management, Mayer said. Separate subsections of the communications sector -- particularly companies smaller than the major telcos and cable companies -- have “unique technical barriers and legal barriers” that warrant study, said Larry Clinton, co-lead of the barriers feeder group and Internet Security Alliance president. “That process is still ongoing.” The goal is to combine all of the industry issues involved in risk management implementation together “in as coherent a manner as possible,” Clinton said.
Working Group 4’s process “has been rather excellent,” Clinton said. “I think it is among the most engaged and well-organized of any of the sector processes I'm familiar with. I get the sense that the FCC people who've been involved with the working group are pleased with the efforts so far.” It’s difficult to compare CSRIC’s work with the process NIST used to facilitate development of the Cybersecurity Framework because the framework process simply identified existing standards and best practices, Clinton said. “The process we're going through in CSRIC is a next step along that road. It’s a more advanced stage of the NIST process, getting to a number of issued NIST raised but didn’t fully address” like the barriers issue, he said.