TIA Provides Input to NIST on Awareness and Initial Experiences with the Cybersecurity Framework
Across stakeholders, the need for putting robust procedures, policies, and systems in place to protect our most sensitive information is increasingly being recognized. Growing cybersecurity threats make it more important than ever for collaboration between private and public interests to comprehensively evaluate and address evolving threats to information security.
No community of organizations knows this better than the information and communications technology (ICT) manufacturer and vendors that supply the equipment and services that enable owners and operators across the 16 critical infrastructure sectors, from communications to energy to financial.
It has now been over a year and a half since President Obama announced, during the 2013 State of the Union address, an Executive Order on improving infrastructure cybersecurity. The Executive Order, among other important directives, required the National Institute of Standards & Technology (NIST) to craft a voluntary Cybersecurity Framework, along with a roadmap for future areas that the Framework may explore.
To find these documents and learn much more about the Framework, just visit NIST's website. TIA heavily participated in the process of the Framework's development, urging NIST to preserve the flexibility and the ability to innovate, to defer to successful public-private partnerships, and to recognize the necessity of international approaches and standards (we have discussed the Framework and TIA's views here).
Now that the Framework has been released (in February earlier this year), NIST in August issued a request for input to the public to check on how things are going. How aware are critical infrastructure stakeholders of the Framework? Are there any initial experiences with using the Framework that can be shared? NIST posed these and other important questions, and comments were due October 10, 2014.
In response, TIA submitted input to NIST to provide the ICT manufacturer and vendor perspective.
First, TIA noted that there is widespread awareness of the Framework amongst the members of the ICT manufacturer, supplier, and vendor community. TIA has worked to share developments related to the Framework with member companies through its Cybersecurity Working Group, which determines the association's public policy positions related to the security of ICT equipment and services from a vendor perspective as it relates to critical infrastructure, supply chain, and information sharing. These include the activities of NIST in the development of the Framework itself as well as the Department of Homeland Security's (DHS) Critical Infrastructure Cyber Community (C3) Voluntary Program which is intended to support industry in increasing its cyber resilience; increasing awareness and use of the Framework; and encouraging organizations to manage cybersecurity as part of an all-hazards approach to enterprise risk management.
As to experiences so far, in our comments we discussed that, while many of the solutions to improve cybersecurity are already driven by private business agreements and the need to differentiate from competitors in the marketplace, the ICT manufacturer and vendor community remains committed to efforts to enhance cybersecurity for critical infrastructure through collaboration with key private and public stakeholders. As this blog post is being written, key efforts are underway in public-private partnerships across critical infrastructure sectors.
For example, in the communications sector, TIA has taken a leadership role within the Federal Communications Commission (FCC) Communications Security, Reliability, and Interoperability Council's (CSRIC) Working Group 4, which is working to develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise through the application of the NIST Cybersecurity Framework, or an equivalent construct. There are also other important information sharing efforts, too, such as the Communications Sector Coordinating Council within DHS' Critical Infrastructure Sector Partnership construct.
Moving forward, TIA urged NIST to continue to prioritize the scope of the Framework as applying to the owners and operators of critical infrastructure, prescribed in E.O. 13636, and not non-critical systems; and that any activity related to supply chain risk management fully appreciates the international nature of the ICT industry which requires a global approach to address cybersecurity concerns, and that a global supply chain can only be secured through an industry-driven adoption of commercially practical best practices and global standards embracing that reality. Mutually recognized international agreements are particularly useful in that they enable ICT manufacturers to build once and then sell globally.
These topics and others will be addressed during the upcoming NIST Cybersecurity Framework workshop, which is occurring October 29-30 in Tampa, FL.