Feds Echo Internet Security Alliance Call for Better Cybersecurity Metrics
Federal officials highlighted the need for improved metrics on industry use of cyber-risk management best practices, and restated their commitment to using public-private partnerships to address cybersecurity issues. Deputy Assistant Secretary of Commerce Bruce Andrews emphasized metrics development, during an Internet Security Alliance (ISA) event Thursday. He announced that the National Institute of Standards and Technology was releasing a draft version of its Baldrige Cybersecurity Excellence Builder voluntary cyber-risk management self-assessment tool for industry. ISA released a cybersecurity policy plan for the next administration and Congress aimed at streamlining the federal regulatory process and increasing incentives for the private sector to improve their cyber practices.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NIST's cybersecurity self-assessment would use the best practices included in the agency-facilitated Cybersecurity Framework with the self-assessment framework used in the institute's Baldrige Performance Excellence Program, Andrews said. Entities evaluating themselves using the Baldrige tool would evaluate their cybersecurity policies based on four tiers of maturity levels across eight factors related to their security processes and results, said the draft. The four maturity levels range from “reactive” to “role model.” Lower-tier reactive entities have limited cybersecurity policy deployment and typically take a reactive approach to cyber issues rather than making cyber implementation systemic, NIST said in its draft. An upper-tier role model entity takes a fully systemic approach to cybersecurity that's baked into the entity's operational strategy, NIST said.
The Baldrige self-assessment is meant to “empower businesses of every size and sector with the right tools to secure themselves in a threat landscape that is ever evolving,” Andrews said. “Static checklist-like compliance just won't do.” Andrews encouraged industry to join government in developing “dynamic accountable approaches to cyber-risk management. Developing the metrics will demand that we work together.”
Andrews praised FCC use of the public-private partnership model in cybersecurity work under Chairman Tom Wheeler. The application of Wheeler's call for an industry-driven “new paradigm” on cyber-risk management, especially via the Communications Security, Reliability and Interoperability Council, is a “collaborative model” that all other sectors should strive to replicate, Andrews said. CSRIC's 2015 recommendations for adapting the NIST Cybersecurity Framework for communications sector cyber-risk management (see 1503180056) are the “most ambitious real-world application” of the NIST framework yet developed, Andrews said.
Homeland Security Undersecretary-National Protection and Programs Directorate (NPPD) Suzanne Spaulding emphasized the need for further work on cyber-risk management metrics, noting ISA's call for the federal government to begin gathering “hard data” on use of the NIST framework. DHS is working internally and with academic partners “to develop better outcome-based metrics” on cyber-risk management, Spaulding said. The NIST framework “has proven its worth in terms of establishing a lexicon” on cyber-risk management and “sets forth a framework for understanding how to do risk management,” she said. Spaulding emphasized the need for more DHS assistance in helping companies use the NIST framework via its Critical Infrastructure Cyber Community program.
The ISA's proposed 12-step “social contract” on cybersecurity for the next administration urges Congress to dramatically increase federal funding for cybersecurity. The ISA plan also asks the federal government to give more weight to the economic factors driving cyber-risk management practices, saying there hasn't been enough work on developing incentives to drive improvements in private sector uptake of risk management. President Barack Obama highlighted incentives development in his 2013 cybersecurity executive order, which set up the process for creating the NIST framework (see report in the Feb. 14, 2013, issue).
The ISA proposal also makes specific policy recommendations for the communications sector, including urging sector-specific agencies to “take a light hand” with cyber-related regulation. “Government, wherever possible, should avoid prescribing risk frameworks, risk tolerance, appropriate controls, and oversight mechanisms,” ISA said. The communications sector needs the federal government to improve intergovernmental coordination on standards work, and better coordination with outside organizations like the ITU, ISA said. It would be “cost effective” for the federal government to increase its partnerships with communications sector entities to “provide enhanced security in situations where further investment is needed to reduce the impact of high-level threats and provide a broader common level of defense” that's beyond some entities' reach “but ultimately in the national interest,” ISA said.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, stumped for ISA stakeholders' support for his Digital Security Commission Act (HR-4651/S-2604) and his Cybersecurity and Infrastructure Protection Agency Act (HR-5390). HR-4651/S-2604 would create a 13-member National Commission on Security and Technology Challenges (NCSTC), which would eventually provide legislative recommendations to Congress on encryption and other digital security issues (see 1602290074). HR-5390 would rename NPPD as the Cybersecurity and Infrastructure Protection Agency and elevate the office's status within DHS
NCSTC would give Congress an alternative way of addressing encryption that avoids the “knee-jerk” responses included in other legislation that take more definitive positions on the encryption debate, McCaul said. “A commission is the most responsible way to do that.” McCaul said he's pushing to have the House consider HR-5390 under suspension of House rules and is considering attaching the bill's language to the planned short-term resolution to fund the government once FY 2016 ends Sept. 30.