Cybersecurity EO – Developing the Cybersecurity Framework

It has been almost a week since President Obama’s Executive Order on critical infrastructure cybersecurity (EO 13636) was officially published in the Federal Register (78 FR 11737-11744). There are a number of important deadlines provided in the EO but one of the most critical is the requirement for NIST to publish a “preliminary version of the Cybersecurity Framework” {§7(e)} within 240 days of the publication of the EO (deadline – 10-17-13).

Consultative Process

Complicating the meeting of this deadline are the requirements of §7(d) that describe the development requirements that must be met. The first is that the Director of NIST will “engage in an open public review and comment process”. Principally this is going to require that at the end of initial process the preliminary Framework will be published in the Federal Register and there will be a public comment period provided. Since this is the end product of the 240 day deadline. That does not seem to be a cause for potential delay except that the document has to be submitted to OMB for review/approval before that publication takes place. That review process can take anywhere from a couple of weeks to years.

The Director is also required to consult with a variety of government agencies in the development process. The EO states that the Director will consult with “the [DHS} Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB”. The Director of NIST does not have the same political weight as the Secretary, the Director of NSA or OMB, so that ‘consultative’ process will probably be done in more of a directed fashion. That will be further complicated by the fact that those three agencies have frequently conflictive objectives. Of course, no one expects that there will be any petty political foot dragging because NIST got to develop the Framework and not DHS or NSA (just a tiny bit of political sarcasm here).

Other ‘lesser’ government agencies are also to be consulted in the framework development process. They include:

• Other relevant agencies;

• Independent regulatory agencies; and

• State, local, territorial, and tribal governments.

A number of ‘other’ federal agencies have some measure of cybersecurity oversight responsibility that will have to be consulted so that their toes won’t get stepped upon. The real sensitive toes will be found in the ‘independent’ regulatory agencies who have some active current cybersecurity programs in place, including FERC, NRC and SEC to mention a few.

There are also requirements to consult with the private sector. These are more clearly identified in §6 of the EO and include the:

• Critical Infrastructure Partnership Advisory Council;

• Sector Coordinating Councils;

• Critical infrastructure owners and operators;

• Universities; and

• Outside experts.

Since the Secretary has 150 days to identify specific critical infrastructure at ‘Greatest Risk’ this could be a special delaying factor in the consultative process. It looks, however, like the Director has found a way to shortcut this problem and to expansively engage the potentially affected private sector communities. There is going to be a Request for Information (RFI) published in the near future in the Federal Register asking for general and some specific information that will be used to develop the preliminary Framework. In effect, if not de jure, this will be an advance notice of propose rulemaking (ANPRM).

Draft RFI

It certainly seems like the Director intends to meet the 240 day deadline set by the President. A draft copy of the RFI was produced (apparently from the file name) on February 12^th the day before the President released the EO. I have been waiting expectantly all week for it to appear in the Federal Register, but it appears that we may have already hit the first OMB delay.

The NIST draft RFI document (page 1) proposed three goals for the Framework development process:

• To identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities;

• To specify high-priority gaps for which new or revised standards are needed; and

• To collaboratively develop action plans by which these gaps can be addressed.

NIST goes on to explain (page 2) that in order to be effective the Framework should provide:

• A consultative process to assess the cybersecurity-related risks to organizational missions and business functions;

• A menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats and protect privacy and civil liberties;

• A consultative process to identify the security controls that would adequately address risks that have been assessed and to protect data and information being processed, stored, and transmitted by organizational information systems;

• Metrics, methods, and procedures that can be used to assess and monitor, on an ongoing or continuous basis, the effectiveness of security controls that are selected and deployed in organizational information systems and environments in which those systems operate and available processes that can be used to facilitate continuous improvement in such controls;

• A comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide senior leaders/executives with the kinds of necessary information sets that help them to make ongoing risk-based decisions;

• A menu of privacy controls necessary to protect privacy and civil liberties.

Control System Coverage

A close reading of the guidelines explicated above shows that the NIST appears to be information focused. This is made clear by the introductory sentence that precedes the list above. It states:

“In order to be effective in protecting the information and information systems [emphasis added] that are a part of the U.S. critical infrastructure, NIST believes the Framework should have a number of general properties or characteristics.”

Reading through the remainder of the document there are a few mentions of control system issues but the vast bulk of this document focuses on information systems. I’ll look at the information requirements, and their relationship to control system security issues, of the RFI in future blog posts.