What Have You Heard About The Cybersecurity Framework?

Posted by Joseph T. Freeman on January 28th, 2023

The President of the United States has given the Department of Homeland Security (DHS), National Institute of Standards and Technology(NIST) and the Department of Commerce the task of developing a multi-sectoral cybersecurity framework.

Wednesday, April 3, 2013, the Special Assistant of the President for cyber security, opened a panel discussion in Washington, D.C. about Presidential Executive Order 136336. The panel discussed the steps involved in creating a national standard.

Congress had rejected a bill that included the essence of the Executive Order's requirements.

Participants were presented with the general approach of federal officials responsible. The ultimate goal of the meeting was to create a cybersecurity framework that can be applied across all the nation's critical infrastructures (as per Presidential Decision Directive 63). The framework's goal is to safeguard cyber-based assets that are essential to the national security and economic growth of the United States. This was described as "the new normal" for industry, government and business.

The private sector owns 85 percent of critical infrastructure in the country. These potential consequences for industry and business are significant. Below are a few perspectives to consider.

1. The Executive Branch of federal government considers cybersecurity critical. 2. Our critical national infrastructure faces a complex and growing threat environment that is increasingly complex and severe.
3. The cybersecurity framework will focus on identifying threats at all levels to critical national infrastructure.
4. The cybersecurity framework is collaborative and risk-based.
5. The cybersecurity framework should emphasize understanding risk-based management.
6. Cross-sector Information Sharing Analysis Centers are essential to improve situational awareness.
7. International information security standards are compatible and will be recognized
8. It is important to consider privacy and civil rights.
9. Every entity, public or private, must identify and address risks.
10. The cybersecurity framework must include employee awareness.
11. A clear and concise legal framework is essential for cybersecurity.
12. It is important to be aware of the functions of control systems and how they can be secured.
13. The cybersecurity framework that results must be repeatable, valid, and measurable.
14. Success of the new cybersecurity framework will depend on what panel members called "voluntary compliance".

The development of the new security framework has attracted the support of major industry leaders. The panel included senior executives from Visa, Microsoft and Merk, Northrup Grumman as well as IBM, SANs and ANSI, among others.

All interested parties should monitor the development of computer security standards. No matter what the final cybersecurity framework product is, there will be legitimate concerns.

The federal government will issue decrees regarding how private sector data is processed, secured and protected through voluntary compliance. What does "voluntary compliance" mean? How does this work? One option is to audit an organization in order to see if it is complying with the framework. The federal government might ban an organization from becoming a supplier if it has not met the requirements. There are many options.

It is a worrying time for government agencies to regulate and use meta data. These worries are not alleviated by the emerging cybersecurity framework.