The National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity

Background

President Obama’s administration has long publicly held that the national and economic security of the United States depends on the reliable functioning of critical infrastructure which has become increasingly dependent on information technology. Because of an increase in malicious cyber activity and Congress’ failure to meaningfully act to improve this situation, the Administration concluded that steps must be taken to enhance existing efforts to increase the protection and resilience of this infrastructure, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity, while protecting privacy and civil liberties. During the February 21, 2013-delivered  State of the Union address, President Obama announced an expected Executive Order on improving infrastructure cybersecurity (Executive Order 13636, Improving Critical Infrastructure Cybersecurity – referred to here as the “EO”), as well as a Presidential Policy Directive (Presidential Policy Directive-21, Critical Infrastructure Security and Resilience – referred to here as “PPD-21”) establishing a national policy on critical infrastructure security and resilience.

Per the EO, the Secretary of Commerce was required to direct the Director of the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure, which must include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The EO also requires that the Cybersecurity Framework incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and must be technology-neutral.

Aside from using a consultative process that centered on the submission of written input from stakeholders, NIST held five public workshops to inform the development of the Cybersecurity Framework, attended by TIA and numerous members. Per the above requirements, NIST issued calls for public input on the Framework’s development. TIA developed detailed written input to inform the development of the Cybersecurity Framework at each of these opportunities:

TIA’s Priorities for the NIST Framework

  • Maintaining the flexibility and the ability to innovate. TIA expressed concern about how NIST’s Framework could possibly account for the differences in existing resiliency amongst sectors, as well as how the Framework’s “Core” – particularly its sub-categories and informative references – could avoid being too prescriptive. TIA suggested that sectors should determine their own security profiles, and that cross-sector metrics are neither feasible nor useful.
  • Deference to successful public-private partnerships. TIA advocated that efforts to improve cybersecurity should leverage public-private partnerships as an effective tool for collaboration on addressing current and emerging threats.
  • The necessity of international approaches and standards. TIA urged NIST to ensure that the Framework reflects the priority for U.S.-based technologies’ continued success in the global marketplace which has been enabled through the development of internationally-used standards and best practices. We encouraged NIST to recognize that that the global nature of the ICT industry necessarily requires a global approach to address cybersecurity concerns, and that a global supply chain can only be secured through an industry-driven adoption of best practices and global standards. We have highlighted that, without clear and direct emphasis on the voluntary nature of the Framework, other governments could interpret it as requirements, and be encouraged to use it as an example to adopt prescriptive and harmful regulatory requirements.
  • What “adoption” of a voluntary Framework means. During Framework workshops, NIST personnel defined it as “creation, implementation, and use.” TIA also voiced concern regarding who determines “adoption.” We noted that the Framework will likely influence contracting requirements, and noted issues with the Framework’s proposed 0-3 “tiering” assessment and the very real possibility that the use of tiering can necessitate expensive 3rd party evaluations; naturally, the Framework can also impact the duty of care in litigation. TIA was cognizant that DHS must also kick off its related implementation support program. While it stated that its goals are to incentivize participation and connect organizations with common interests within sectors, TIA questioned the voluntary nature of the program as well as this “adoption” issue. Finally, adding to this uncertainty is the fact that the incentives to adopt the Framework remain to be defined.

NIST Releases its Framework for Improving Critical Infrastructure Cybersecurity

As required by the EO, on February 12, 2014, NIST released its Framework for Improving Critical Infrastructure Cybersecurity (available at http://www.nist.gov/cyberframework). TIA summarizes the final version of the Framework as follows:

The heart of the Framework is the “Framework Core” which “provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” The Framework Core comprises of five “functions”:

  1. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  3. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  4. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  5. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Each “function” has several categories, and then sub-categories which are illustrated by “informative references”, leading to an organization’s specific approach to improve resiliency to cybersecurity vulnerabilities. For example, under the “Identify” function, “Asset Management” is one of several categories; within “Asset Management,” “Physical devices and systems within the organization are inventoried” is a sub-category. Finally, this sub-category has beneath it several informative references, which include the widely-known ISO/IEC 27001:2013.

The NIST Framework also provides four “Implementation Tiers” which provides “context on how an organization views cybersecurity risk and the processes in place to manage that risk.” These tiers are:

  • Tier 1 – “Partial”
  • Tier 2 – “Risk Informed”
  • Tier 3 – “Repeatable”
  • Tier 4 – “Adaptive”

Additionally, the Framework describes Framework Profiles, which are an organization’s alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization. The Framework Profile is intended to provide flexibility and scalability in gap analysis and prioritization, and to describe an organization’s current state of cybersecurity resiliency as well as where the organization aspires to be. Notably, the Framework contains no example Profiles, but we have been assured by NIST that this is a goal in future versions of the Framework.

NIST’s largest alteration to its Preliminary Framework is the removal of its privacy appendix which TIA had noted as troublesome on several levels. In the final version of the Framework, the privacy appendix that resembled the Framework Core has been replaced by a “Methodology to Protect Privacy and Civil Liberties” in the body of the Framework. This privacy discussion gives processes and activities that may be considered as a means to address the privacy and civil liberties implications in the use of the Framework Core. Notably, NIST notes that “not all activities in a cybersecurity program may give rise to these considerations.”

Lastly, in a separate but integrally linked release, NIST has provided a “NIST Roadmap for Improving Critical Infrastructure Cybersecurity” (available at http://1.usa.gov/1gBsNSk) which discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration, and calls for further work in nine areas:

  1. Authentication
  2. Automated Indicator
  3. Conformity Assessment
  4. Cybersecurity Workforce
  5. Data Analysis
  6. Federal Agency Cybersecurity Alignment
  7. International Aspects, Impacts, and Alignment
  8. Supply Chain Risk Management
  9. Technical Privacy Standards

Moving Forward with the NIST Framework

There are several important deadlines for NIST and other agencies under the EO, as well as other future activities that are very important for TIA members.

The Department of Homeland Security (DHS) has launched its Critical Infrastructure Cyber Community (C3) Voluntary Program (http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program), which is the EO-required voluntary program to support the use of the Framework. Notably, this DHS effort is working on how to provide technical assistance for implementers, as well as incentives and metrics related to the Framework. TIA is a member of the C3 effort.

NIST has made clear that the Framework is a “living document.” TIA will also continue to work with NIST as it follows its Roadmap. Specifically, NIST has committed to convene:

  • At least one workshop within six months after the Framework’s issuance to provide a forum for stakeholders to share experiences in using the Framework;
  • One or more workshops and focused meetings on specific areas for development, alignment, and collaboration; and
  • A privacy workshop in the second quarter of 2014.

There are several important Framework-based activities outside of NIST that TIA will continue to engage on moving forward. Under the EO, sector-specific agencies were required to submit a report to the President by January 27, 2014 that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required. If current regulatory requirements are deemed to be insufficient by the agency, it is to propose to the White House prioritized, risk-based, efficient, and coordinated actions to mitigate cyber risk by May 19, 2014. Furthermore, agencies with responsibility for regulating the security of critical infrastructure must report to the Office of Management and Budget (OMB) on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements by February 18, 2016.

In addition, independent regulatory agencies with responsibility for regulating the security of critical infrastructure cannot be required to act by the Executive, but are encouraged to engage in a consultative process to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities. Notably, this will be occurring within the Federal Communications Commission’s (FCC) Communications, Security, Reliability, and Interoperability Council (CSRIC), which will be looking to build the Framework’s goals into its recommended best practices. TIA is an active appointed member of the CSRIC and is engaged already on this topic specifically.