The nation’s critical infrastructure is massive in its size, diversity and geographic spread — literally tens of thousands of financial, transportation, power, telecommunications, manufacturing, health care and government organizations from coast to coast. So it may have been a surprise to some when the National Institute of Standards and Technology posted a mere 53 responses last week to the Obama administration’s voluntary framework for improving critical infrastructure cybersecurity.
NIST had requested feedback in August from the private sector owners and operators of critical infrastructure to better understand how the framework was being used and how officials might improve the voluntary guidelines in future versions. Although there were several government agencies, and finance and energy companies among the organizations that provided feedback on the framework, the vast majority of responses posted Oct. 10 by NIST came from tech companies and industry associations.
“The response was about what I expected,” Adam Sedgewick, a senior IT policy adviser who has been leading NIST’s work on the cybersecurity framework, said in a telephone interview with FedScoop. “The trade associations represent hundreds of organizations. That’s helpful to us because they represent the opinions of broad swaths of industry. And the response is really about how the framework is being used, not about how many have adopted it.”
Sedgewick said an “initial scrub” of the responses had been completed and there may be more posted on the NIST site.
Released in final form in February, the framework is the centerpiece of President Barack Obama’s Executive Order 13636 – Improving Critical Infrastructure Cybersecurity – which directed NIST to work with the private sector, which owns and operates more than 85 percent of the nation’s critical infrastructure, to develop a voluntary set of guidelines and best practices for reducing cyber risks. And while NIST put significant effort into obtaining private sector input during the framework’s development, the strategy has been dogged by lingering doubts about how many companies would actually adopt the voluntary standards.
Sedgewick, however, said focusing on the number of respondents to the RFI and the number of companies that will adopt the framework is missing the point. The goal, he said, was to learn how they can make the framework better. “We’re going to look for certain trends … for example, if standards bodies begin issuing guidance based on the framework,” he said. “But understanding the overall impact is really a whole of government responsibility,” he said.
The Department of Homeland Security did not respond to FedScoop’s request for comment.
Dell Inc., International Business Machines Corp., Intel Corp. and Microsoft Corp. were among the tech firms that offered responses to the framework. But the biggest response came from an assortment of associations, including the U.S. Telecom Association, Telecommunications Industry Association, CTIA-The Wireless Association, Utilities Telecom Council and the U.S. Chamber of Commerce.
Most of the organizations said the framework has been helpful in raising awareness of best practices in cybersecurity risk management. But many of the critical infrastructure vertical industries pointed to existing guidelines and voluntary standards as the centerpiece of their risk management programs and characterized the NIST framework as a supplement that has helped further refine existing standards and processes.
One response, written by Thomas Curtis, deputy executive director of the American Water Works Association, raises questions about the effectiveness of the outreach materials used by NIST to support the framework and by DHS to support the Critical Infrastructure Cyber Community Voluntary Program, known as C-Cubed.
“Current Framework and C-Cubed outreach materials do not acknowledge the proactive steps the water sector has taken to enhance cybersecurity, which can lead to confusion about what a water utility should be doing,” Curtis wrote. “This is especially discouraging since EO 13636 supports the development of sector-specific guidance, yet repeated attempts to have the AWWA resources integrated or referenced by NIST and DHS appear to be ignored.”
The Nuclear Regulatory Commission, one of the few federal agencies to provide feedback on the framework, noted that “at this time the NIST Framework’s application is not prevalent” among commercial nuclear reactor operators, primarily because the NRC published its own mandatory cybersecurity rules in 2009 as part of the NRC Code of Federal Regulations.
“We believe that the framework tenets should continue to be used on a voluntary basis, however, we note that regulatory entities should be empowered to leverage the Framework Core Functions as they deem essential to ensure that their entities establish and maintain meaningful and measurable programs to protect their critical infrastructures,” the NRC wrote in its response.
Sempra Energy, which includes San Diego Gas & Electric Co. and Southern California Gas Co., said that it is currently considering parts of the framework but that it is already “held to more stringent standards elsewhere,” particularly Department of Energy guidelines and sector-specific versions of the Cybersecurity Capability Maturity Model. “The degree of adoption could also be influenced by additional incentives that have yet to be defined,” the company said in its response.
“The greatest challenge is for the Framework to demonstrate additional benefits beyond similar frameworks and tools already in use,” the company stated. “As the program currently stands, adoption of the Framework is driven by the benefits versus the costs of program changes. Specification of incentives to adopt the Framework may change the benefits and accelerate integration of the Framework into the industry.” Follow @DanielVerton