The Cybersecurity Framework at One Year

By: William Jackson
February 27, 2015

Facebooktwitterredditpinterestlinkedinmail

One year after publication, the administration’s Cybersecurity Framework remains a work in progress, but it is helping to drive and define discussions on the need for cybersecurity as an integral part in the risk management of our critical infrastructure.

The administration’s Framework for Improving Critical Infrastructure Cybersecurity marked its first birthday this month, and although it remains a work in progress it is helping to drive awareness of the need for cybersecurity as an integral part of the risk management programs of the nation’s critical infrastructure.

But while the framework generally is seen as a good first step toward improving infrastructure security, it probably will be years before we see the full results in our energy production and distribution grids, and our transportation, financial and communications systems. During that time, the document will continue to evolve. The National Institute of Standards and Technology, which developed the document in collaboration with the Homeland Security Department and private industry, published a roadmap for addressing gaps along with the first version was at the same time as the framework.

“The cyber threat and vulnerabilities landscape continues to evolve,” the Energy Department advised NIST when the framework was six months old. The emergence of cloud-based services, mobile apps and the possibility of domestic and international cybersecurity legislation will shape requirements for cybersecurity going forward.

The framework of voluntary guidelines addresses the problem of critical infrastructure systems that have become more modern, networked and reliant on the Internet, without having matured in their cybersecurity. The result is critical systems that are increasingly vulnerable to Internet based attacks. It was released Feb. 12, 2014, under an executive order issued by the president a year earlier in response to Congress’s failure to pass cybersecurity legislation.

The elements of the framework are not new. It is based on existing industry and international standards and best practices, and the catalog of security and privacy controls in NIST’s Special Publication 800-53 form its foundation. Because it is based on already accepted standards and practices, many of its elements already are in place in many organizations and those adopting the framework are not starting from scratch.

What the framework provides, said Jamie Brown, director of global government relations for C.A. Technologies, is a common lexicon for discussing cybersecurity across industry sectors, a list of accepted controls and best practices, and the flexibility to adapt to different industries and different threats over time. Brown said that he is seeing the framework used as a basis for discussions in telecom, banking, energy and transportation companies.

NIST last summer released a Request for Information on “Experience with the Framework for Improving Critical Infrastructure Cybersecurity,” asking about current awareness of the framework and how it can be improved, and how it is being used or planning to be used.

The Energy Department, the agency charged with overseeing the nation’s energy industry, responded that the industry, which cooperated in developing the framework, also has worked with DOE to develop a sector-specific guidance for implementing it, which “will provide further traction towards implementation of the framework in the energy sector.” But although there is general awareness of the framework in the energy sector, NIST and other regulatory agencies should continue outreach efforts, particularly among small and medium sized companies.

While the Cybersecurity Framework is gaining traction in the private sector, much of the hard work of implementation remains to be done. One critical element that everyone agrees is necessary for better cybersecurity is information sharing, both among infrastructure owners and operators, and between the private sector and government. But after more than a decade of talking about the need for sharing, it still is seen as a problem area. We will look at some of the barriers to more effective info sharing in an upcoming Cybereye.