I’ll leave it to you to tell your kids where babies come from, but here’s where the cybersecurity framework that the President called for in his Executive Order will come from if the National Institute of Standards and Technology (NIST) has its way: You. That is, if you represent a private sector critical infrastructure enterprise. To put it another way, they are counting on private-sector input.
The effort to engage with the private sector has already begun with a two-pronged process: the first was a request for information (RFI) published February 24, asking industry to send information about what it is currently doing that might serve as a best practice; the second was the first in a series of workshops that NIST will hold to hammer out the specifics, though this one, held in April, was more about setting goals.
The April workshop included panels of business experts representing critical infrastructure sectors and information sharing analysis centers (ISACs). They used the opportunity to highlight key points they hoped NIST would keep in mind as it worked with stakeholders to craft the framework.
Reid Stephan, information security manager for St. Luke’s Health System, emphasized the importance of making sure that the framework was not just a technical document for cybersecurity professionals. Michael Arceneaux of the Water ISAC seconded that, saying, “The framework needs to be aimed at non-IT managers.” He noted that “most standards are perfectly unintelligible to most people.”
In a similar vein, Deborah Kobza of the National Health ISAC spoke of the need for the framework to look at cybersecurity from the perspective of each person who would have to implement it, such as the front-line doctor or nurse.
Terry Rice, AVP of IT risk management and chief information security officer at Merck & Co., Inc., noted that it is difficult to know when you can say you’ve achieved success in cybersecurity, so he asked that the framework focus on what benchmarks could be used. Scott Algeier, representing the IT ISAC, highlighted the need for the framework to keep the focus on realistic and likely risks.
Russell Schrader, chief privacy officer at Visa, cautioned against codifying standards because they are “difficult to update as things change.”
Many participants also emphasized the importance of considering how the framework would fit within the existing regulatory landscape both in the United States and globally so as not to force companies to meet incompatible standards. Everyone highlighted the need to establish a clear legal framework for information sharing, which it was acknowledged would also take congressional action.
The next workshop is May 29. More workshops are scheduled for July and September. The first draft will then be issued for comment in October. NIST encourages private sector critical infrastructure enterprises to get involved in shaping the results. But as Bob Dix of Juniper Networks noted, “This is a rapidly moving train, so don’t delay.”