Some Cybersecurity National Action Plan Initiatives Progressing, Officials Say
The White House's Cybersecurity National Action Plan (CNAP) includes “a few big-ticket items” like the formation of the Commission on Enhancing National Cybersecurity (CENC), but “in many ways it's corralling a lot” of the work President Barack Obama's administration has done on cybersecurity since 2009, said Department of Commerce Senior Adviser-Cybersecurity and Technology Clete Johnson Thursday during a USTelecom event. Federal officials highlighted many of the cybersecurity programs pulled into CNAP. The programs include the National Institute of Standards and Technology's ongoing assessment of the Cybersecurity Framework and the FCC Communications Security, Reliability and Interoperability Council's (CSRIC) continued work on cybersecurity issues. CNAP, which the White House announced last week, also includes the creation of the Federal Privacy Council and a federal chief information security officer position. The White House released CNAP in conjunction with the release of its FY 2017 federal budget proposal, which includes a 35 percent hike in cybersecurity spending (see 1602090068).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The administration wants all initiatives included in CNAP to become “vehicles to drive implementation” of improvements to U.S. cybersecurity, with CENC being seen as an important opportunity to effect “transformational change” on cybersecurity issues, Johnson said. CENC is required to deliver a set of recommendations to the White House by Dec. 1 on ways to strengthen private sector and public sector cybersecurity, and Commerce expects those recommendation to be “bold and concrete” enough to be effective, Johnson said. The White House is expected to select most of CENC's members in the near future, he said. Obama's appointment Wednesday (see 1602170072) of former National Security Adviser Tom Donilon as chairman and former IBM CEO Sam Palmisano as vice chairman gives CENC leaders with a “tremendous perspective on digital economy issues,” he said: Commerce is “focused on the digital economy and that will be reflected in” CENC.
NIST's assessment of the Cybersecurity Framework it developed with industry and released in 2014 indicates NIST should tweak the existing framework, said National Cybersecurity Center for Excellence Associate Director Donna Dodson. Comments that NIST received “have given us suggestions” for how to improve the existing Cybersecurity Framework, but “so far we haven't seen any major call for an update” to the framework, Dodson said. The newly formed Coalition for Cybersecurity Policy & Law told NIST Thursday the framework “has emerged as a flexible, adaptive and voluntary construct for the protection of critical infrastructure" in the U.S. CCPL's members, announced Thursday, include Cisco, Intel, Microsoft, Oracle, Rapid7 and Symantec. The group said it plans to “support the development and adoption of cybersecurity innovations” and encourage improvements to companies' cybersecurity. The NIST framework remains voluntary. Comments on NIST's RFI on the Cybersecurity Framework are due Feb. 23, Dodson said.
The FCC continues to operate under Chairman Tom Wheeler's vision of a “new paradigm” of collaborating with the private sector instead of focusing on regulatory action, said FCC Public Safety Bureau Associate Chief-Cybersecurity & Communications Jeffrey Goldthorp. The FCC is working to implement CSRIC's 2015 recommendations for adapting the NIST framework to communications sector use (see 1503180056), including meeting with companies to discuss their cyber risks and the ways companies are mitigating those risks, Goldthorp said. The FCC hasn't begun meeting with companies on cyber risk but expects to start shortly, he said. Several CSRIC working groups are working on other cybersecurity issues (see 1506240053).