CYBERSECURITY: EXECUTIVE ORDER 13636
AND THE NIST FRAMEWORK
Telecommunications Industry
Association
Topics
• Part I – Executive Order 13636
• Part II – Framework Development History
and TIA Involvement
• Part III – The Framework
• Part IV – Issues and Next Steps
Part I – Executive Order 13636
Executive Order 13636
• Issued on February 12, 2013
– Followed in wake of failure of comprehensive cyber
legislation in the Senate (late 2012)
• Required NIST to develop a voluntary Cybersecurity
Framework
– Agencies are supposed to review the Framework
against their current regulations for gaps (Sec. 10)
• DHS establishes voluntary critical infrastructure program
– Notification to private sector owners & operators
• Includes limited measures to improve information sharing
EO – Information
Sharing (Sec. 4)
• Requires agencies to produce timely, unclassified reports &
that “identify a specific targeted entity”
• Facilitates transmission of classified information to critical
infrastructure entities that are “authorized to receive
them”
• Does nothing to improve sharing FROM the private sector
• The government recognizes that legislation is still needed
to improve real-time, bi-directional information sharing
EO – Critical
Infrastructure Definition
• Definition (Sec. 3)
– “systems and assets, whether physical or virtual, so vital
to the United States that the incapacity or destruction of
such systems and assets would have a debilitating
impact on security, national economic security, national
public health or safety, or any combination of those
matters.”
• IT Limitation (Sec. 9a)
– When designating critical infrastructure at greatest risk,
DHS may not “identify any commercial information
technology products or consumer information
technology services” within the program
EO – Critical
Infrastructure Program
• DHS Identification (Sec. 9)
– Requires agency to use a “risk-based approach to
identify critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic regional
or national effects on public health or safety, economic
security, or national security.”
• Incentives (Sec. 8c)
– DHS must “coordinate establishment of a set of
incentives designed to promote participation in the
Program”
– Not yet clear what these will be
– Liability protection requires statutory authority
EO – Agency Adoption
of Framework
• Review
– “Agencies with responsibility for regulating the security of critical
infrastructure shall … review the preliminary Cybersecurity
Framework and determine if current cybersecurity regulatory
requirements are sufficient….”
• Action
– “If current regulatory requirements are deemed to be insufficient …
agencies … shall propose prioritized, risk-based, efficient, and
coordinated actions … to mitigate cyber risk.”
• Independent Agencies (FCC etc.)
– “encouraged … to consider prioritized actions to mitigate cyber
risks for critical infrastructure consistent with their authorities”
Part II – Framework
Development History and
TIA Involvement
Development Process
• Kick-started by EO (Sec. 7) in February
• Series of workshops with industry
• Preliminary Framework released by NIST on
October 22, 2013
– Delayed two weeks from original due date to
government shutdown
• Final version released on February 12, 2014
• NIST will keep updating it after that
TIA Involvement
• Written comments to NIST
• Three meetings with NIST staff
– Aug. 1 2013
– Aug. 27 2013
– Jan. 7 2014
• Participation of NIST staff in TIA events
TIA Input / Concerns
Maintaining the flexibility and ability to innovate
Deference to successful public-private partnerships
The necessity of international approaches and standards
What “adoption” means
Framework’s fixation on “advanced threats” rather than
“cyber hygiene”
• Framework’s problematic approach to privacy
• NIST’s designation of “undeveloped” areas for future work,
importantly including supply chain
•
•
•
•
•
TIA Evaluation of
Final Framework
• Many TIA concerns have been addressed
• NIST has emphasized the voluntary nature of the
Framework
• Framework reflects the need to incorporate and rely on
existing standards and best practices
• Reflects TIA’s advocacy that flexibility and technology
neutrality are critical
• Reflects TIA’s advocacy that a business case is a key driver
for increasing private-sector cyber resiliency
• Framework embraces the concept that an international
approach should not be country-specific
Part III – The Framework
Components
• Framework Core
– Set of cybersecurity functions and references
– Big table
• Framework Profile
– Tool to help organizations establish a roadmap
for reducing cybersecurity risk
• Framework Implementation Tiers
– How well an organization manages its cyber
risk
Framework Core
• Five Functions
– Identify, Protect, Detect, Respond,, Recover
• Categories
– Examples: “Asset Management,” “Access Control,” and
“Detection Processes.”
• Subcategories (high-level outcomes)
– Examples: “Physical devices and systems within the
organization are catalogued,” “Data-at-rest is protected,”
and “Notifications from the detection system are
investigated.”
• Informative references (standards – ISO etc.)
The Chart
Framework Profile
• Alignment of two things:
– Functions, Categories, Subcategories and industry
standards and best practices, with
– Business requirements, risk tolerance, and resources of
the organization
Framework Tiers
• Describe an “increasing degree of rigor and
sophistication in cybersecurity risk management
practices and the extent to which cybersecurity
risk management is integrated into an
organization’s overall risk management practices”
– Tier 1: Partial
– Tier 2: Risk-Informed
– Tier 3: Repeatable
– Tier 4: Adaptive
Example
Tier 1: Partial
• Risk Management Process
– Organizational cybersecurity risk management practices are not formalized and risk
is managed in an ad hoc and sometimes reactive manner. Prioritization of
cybersecurity activities may not be directly informed by organizational risk
objectives, the threat environment, or business/mission requirements.
• Integrated Program
– There is a limited awareness of cybersecurity risk at the organizational level and an
organization-wide approach to managing cybersecurity risk has not been
established. The organization implements cybersecurity risk management on an
irregular, case-by-case basis due to varied experience or information gained from
outside sources. The organization may not have processes that enable cybersecurity
information to be shared within the organization.
• External Participation
– An organization may not have the processes in place to participate in coordination
or collaboration with other entities.
Example
Tier 4: Adaptive
• Risk Management Process
– The organization adapts its cybersecurity practices based on lessons learned and
predictive indicators derived from previous cybersecurity activities. Through a
process of continuous improvement, the organization actively adapts to a changing
cybersecurity landscape and responds to emerging/evolving threats in a timely
manner.
• Integrated Program
– There is an organization-wide approach to managing cybersecurity risk that uses
risk-informed policies, processes, and procedures to address potential cybersecurity
events. Cybersecurity risk management is part of the organizational culture and
evolves from an awareness of previous activities, information shared by other
sources, and continuous awareness of activities on their systems and networks.
• External Participation
– The organization manages risk and actively shares information with partners to
ensure that accurate, current information is being distributed and consumed to
improve cybersecurity before an event occurs.
Part IV – Issues & Next Steps
Potential Issues
• Incentives for adoption
– Cost is a factor
• Regulation
– How will agencies respond?
• Liability
– Does the Framework establish a “duty of care?”
– Tier 4 implementation “or else”?
• What will Congress do?
The Next Version:
NIST Roadmap
•
•
•
•
•
•
•
•
•
•
Authentication
Automated Indicators
Conformity Assessment
Cybersecurity Workforce
Data Analysis
Federal Agency Cybersecurity Alignment
International Aspects, Impacts, and Alignment
Supply Chain Risk Management
Technical Privacy Standards
Bottom Line – More To Come in Future Versions
Cyber Topics
Missing from EO
•
•
•
•
•
•
Cybercrime
R&D efforts
Cyber hygiene & education
Data breach notification
FISMA reform
These things may require legislation
Conclusion / Contacts
Dileep Srihari – dsrihari@tiaonline.org
(703)-907-7715
Brian Scarpelli – bscarpelli@tiaonline.org
(703)-907-7714
Telecommunications Industry Association