CYBERSECURITY: EXECUTIVE ORDER 13636 AND THE NIST FRAMEWORK

Telecommunications Industry Association

Topics

• Part I – Executive Order 13636• Part II – Framework Development History

and TIA Involvement• Part III – The Framework• Part IV – Issues and Next Steps

Part I – Executive Order 13636

Executive Order 13636

• Issued on February 12, 2013– Followed in wake of failure of comprehensive cyber

legislation in the Senate (late 2012)• Required NIST to develop a voluntary Cybersecurity

Framework– Agencies are supposed to review the Framework

against their current regulations for gaps (Sec. 10)• DHS establishes voluntary critical infrastructure program– Notification to private sector owners & operators

• Includes limited measures to improve information sharing

EO – InformationSharing (Sec. 4)

• Requires agencies to produce timely, unclassified reports & that “identify a specific targeted entity”

• Facilitates transmission of classified information to critical infrastructure entities that are “authorized to receive them”

• Does nothing to improve sharing FROM the private sector• The government recognizes that legislation is still needed

to improve real-time, bi-directional information sharing

EO – CriticalInfrastructure Definition

• Definition (Sec. 3)– “systems and assets, whether physical or virtual, so vital

to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

• IT Limitation (Sec. 9a)– When designating critical infrastructure at greatest risk,

DHS may not “identify any commercial information technology products or consumer information technology services” within the program

EO – CriticalInfrastructure Program

• DHS Identification (Sec. 9)– Requires agency to use a “risk-based approach to

identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”

• Incentives (Sec. 8c)– DHS must “coordinate establishment of a set of

incentives designed to promote participation in the Program”

– Not yet clear what these will be– Liability protection requires statutory authority

EO – Agency Adoptionof Framework

• Review– “Agencies with responsibility for regulating the security of critical

infrastructure shall … review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient….”

• Action– “If current regulatory requirements are deemed to be insufficient …

agencies … shall propose prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.”

• Independent Agencies (FCC etc.)– “encouraged … to consider prioritized actions to mitigate cyber

risks for critical infrastructure consistent with their authorities”

Part II – Framework Development History and

TIA Involvement

Development Process

• Kick-started by EO (Sec. 7) in February• Series of workshops with industry• Preliminary Framework released by NIST

on October 22, 2013– Delayed two weeks from original due date to

government shutdown

• Final version released on February 12, 2014• NIST will keep updating it after that

TIA Involvement

• Written comments to NIST• Three meetings with NIST staff– Aug. 1 2013– Aug. 27 2013– Jan. 7 2014

• Participation of NIST staff in TIA events

TIA Input / Concerns

• Maintaining the flexibility and ability to innovate• Deference to successful public-private partnerships• The necessity of international approaches and standards• What “adoption” means• Framework’s fixation on “advanced threats” rather than

“cyber hygiene”• Framework’s problematic approach to privacy• NIST’s designation of “undeveloped” areas for future work,

importantly including supply chain

TIA Evaluation ofFinal Framework

• Many TIA concerns have been addressed• NIST has emphasized the voluntary nature of the

Framework• Framework reflects the need to incorporate and rely on

existing standards and best practices• Reflects TIA’s advocacy that flexibility and technology

neutrality are critical• Reflects TIA’s advocacy that a business case is a key driver

for increasing private-sector cyber resiliency• Framework embraces the concept that an international

approach should not be country-specific

Part III – The Framework

Components

• Framework Core– Set of cybersecurity functions and references– Big table

• Framework Profile– Tool to help organizations establish a roadmap

for reducing cybersecurity risk

• Framework Implementation Tiers– How well an organization manages its cyber

risk

Framework Core

• Five Functions– Identify, Protect, Detect, Respond,, Recover

• Categories– Examples: “Asset Management,” “Access Control,” and

“Detection Processes.”• Subcategories (high-level outcomes)– Examples: “Physical devices and systems within the

organization are catalogued,” “Data-at-rest is protected,” and “Notifications from the detection system are investigated.”

• Informative references (standards – ISO etc.)

The Chart

Framework Profile

• Alignment of two things:– Functions, Categories, Subcategories and industry

standards and best practices, with– Business requirements, risk tolerance, and resources of

the organization

Framework Tiers

• Describe an “increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is integrated into an organization’s overall risk management practices”– Tier 1: Partial– Tier 2: Risk-Informed– Tier 3: Repeatable– Tier 4: Adaptive

ExampleTier 1: Partial

• Risk Management Process– Organizational cybersecurity risk management practices are not formalized and risk

is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.

• Integrated Program– There is a limited awareness of cybersecurity risk at the organizational level and an

organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.

• External Participation– An organization may not have the processes in place to participate in coordination

or collaboration with other entities.

ExampleTier 4: Adaptive

• Risk Management Process– The organization adapts its cybersecurity practices based on lessons learned and

predictive indicators derived from previous cybersecurity activities. Through a process of continuous improvement, the organization actively adapts to a changing cybersecurity landscape and responds to emerging/evolving threats in a timely manner.

• Integrated Program– There is an organization-wide approach to managing cybersecurity risk that uses

risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

• External Participation– The organization manages risk and actively shares information with partners to

ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs.

Part IV – Issues & Next Steps

Potential Issues

• Incentives for adoption– Cost is a factor

• Regulation– How will agencies respond?

• Liability– Does the Framework establish a “duty of care?” – Tier 4 implementation “or else”?

• What will Congress do?

The Next Version:NIST Roadmap

• Authentication• Automated Indicators• Conformity Assessment• Cybersecurity Workforce• Data Analysis• Federal Agency Cybersecurity Alignment• International Aspects, Impacts, and Alignment• Supply Chain Risk Management• Technical Privacy Standards• Bottom Line – More To Come in Future Versions

Cyber TopicsMissing from EO

• Cybercrime• R&D efforts• Cyber hygiene & education• Data breach notification• FISMA reform• These things may require legislation

Conclusion / Contacts

Dileep Srihari – dsrihari@tiaonline.org (703)-907-7715

Brian Scarpelli – bscarpelli@tiaonline.org (703)-907-7714

Telecommunications Industry Association