White House unveils cybersecurity framework

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Amber Corrin

By Amber Corrin

|

The primary targets of the National Institute of Standards and Technology guidelines are the owners and operators of privately run critical infrastructure.

gold shield on top of computer code

A year after the executive order that mandated federal cybersecurity guidelines, senior White House officials on Feb. 12 rolled out the final "version 1.0" edition of a framework aimed at protecting the critical infrastructure sector.

The so-called final version of the framework -- which officials emphasize will continue to undergo improvements over time -- comes after multiple draft releases and numerous workshops engaging the private sector. The primary targets of the guidelines are the owners and operators of privately run critical infrastructure, particularly in the energy, financial and health care sectors. Officials also encouraged other businesses and government agencies to take advantage of the framework, developed under leadership of the National Institute of Standards and Technology.

Three main pieces comprise the framework: the core, consisting of cybersecurity activities, outcomes and references common across critical infrastructure sectors; profiles, developed under the core and focused on aligning cyber activities with business operations; and tiers, which "provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk."

"This is a major turning point in the cybersecurity discussion," one senior administration official said on a press call Feb. 12 ahead of the framework's release. "From today on we have new shared vocabulary about cybersecurity that will allow executives and [senior leadership] to set baselines" and make improvements to network security.

The framework "jumpstarts vital conversations between critical infrastructure companies and the government" on addressing cybersecurity efficiently and voluntarily "without reinventing the wheel," a second official added.

The NIST framework is supplemented by efforts at other agencies, particularly the Homeland Security Department, which is launching a critical infrastructure cyber community focused on coordinating cross-sector stakeholders, resources and efforts under a national umbrella. DHS also is offering cybersecurity resilience reviews that companies can either do themselves or have officials facilitate to gauge an organization's cybersecurity strength.

"DHS will work with sector-specific agencies to identify solutions best-suited to assess a given sector's capability gaps," a third senior administration official said on the press call. "These are innovative public-private partnerships to align critical infrastructure owners and operators with existing resources to use the framework and manage cyber risks."

Three things the framework does not do are create new regulations, provide incentives or offer metrics for measuring success.

"For the administration, the goal is not to expand regulations; our goal is to streamline existing regulations wherever possible and bring [those] into alignment with the framework," the first official said. To that end, agencies are reviewing existing programs and regulations and in May, per the executive order, will propose prioritized actions to mitigate risks.

Critics have pointed to the framework's lack of mechanisms for measuring its effectiveness, but officials said that is one area leadership will continue to work on as organizations implement the guidelines.

"The way the framework is laid out has each individual organization developing a profile and using that to [coordinate their] next steps. So the metrics will be unique to the organization," the second official said. "There will have to be some shared understanding of how to approach the issue of metrics; it's already been identified by companies working with us as something to continue to work on in the next version of the framework. I would consider the metrics discussion to be one that evolves over time."

Incentives represent another area that remains to be determined in the coming months. Cyber insurance, federal grants, recovery assistance, public recognition, regulatory streamlining and government contracting preference are some of the areas under discussion, but some of those require statutory changes to fully implement. Officials said the hope is that market influences will provide the chief incentives.

"Government incentives are important, but the market has to drive the base for the cybersecurity framework," the first official said.

Additional incentives are expected to come from DHS in the coming months, according to Phyllis Schneck, deputy undersecretary for cybersecurity.

Schneck, speaking Feb. 12 at the Center for National Policy in Washington, D.C., said DHS would be unveiling complementary efforts to strengthen voluntary cybersecurity programs and government incentives.

"The follow-up for DHS is to ... engage government stakeholders and private-sector stakeholders to adopt the principles of the framework," Schneck said. "There will be a phase one for the voluntary program ... and as we build that out, there will be a phase two and phase three of the voluntary program as it matures. We're still working on that; we'll be working on it constantly and publicly. Privacy will be a deep part, as well as metrics and how we measure success."

Privacy was one area that insiders expected to see addressed more comprehensively since the most recent iteration of the framework was released last fall. The final version, instead of having a separate appendix addressing privacy, integrates privacy solutions throughout the framework.

NEXT STORY: Extent of hack at Vegas Venetian and Palazzo casinos is unknown

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.