White House unveils cybersecurity framework

The primary targets of the National Institute of Standards and Technology guidelines are the owners and operators of privately run critical infrastructure.

gold shield on top of computer code

A year after the executive order that mandated federal cybersecurity guidelines, senior White House officials on Feb. 12 rolled out the final "version 1.0" edition of a framework aimed at protecting the critical infrastructure sector.

The so-called final version of the framework -- which officials emphasize will continue to undergo improvements over time -- comes after multiple draft releases and numerous workshops engaging the private sector. The primary targets of the guidelines are the owners and operators of privately run critical infrastructure, particularly in the energy, financial and health care sectors. Officials also encouraged other businesses and government agencies to take advantage of the framework, developed under leadership of the National Institute of Standards and Technology.

Three main pieces comprise the framework: the core, consisting of cybersecurity activities, outcomes and references common across critical infrastructure sectors; profiles, developed under the core and focused on aligning cyber activities with business operations; and tiers, which "provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk."

"This is a major turning point in the cybersecurity discussion," one senior administration official said on a press call Feb. 12 ahead of the framework's release. "From today on we have new shared vocabulary about cybersecurity that will allow executives and [senior leadership] to set baselines" and make improvements to network security.

The framework "jumpstarts vital conversations between critical infrastructure companies and the government" on addressing cybersecurity efficiently and voluntarily "without reinventing the wheel," a second official added.

The NIST framework is supplemented by efforts at other agencies, particularly the Homeland Security Department, which is launching a critical infrastructure cyber community focused on coordinating cross-sector stakeholders, resources and efforts under a national umbrella. DHS also is offering cybersecurity resilience reviews that companies can either do themselves or have officials facilitate to gauge an organization's cybersecurity strength.

"DHS will work with sector-specific agencies to identify solutions best-suited to assess a given sector's capability gaps," a third senior administration official said on the press call. "These are innovative public-private partnerships to align critical infrastructure owners and operators with existing resources to use the framework and manage cyber risks."

Three things the framework does not do are create new regulations, provide incentives or offer metrics for measuring success.

"For the administration, the goal is not to expand regulations; our goal is to streamline existing regulations wherever possible and bring [those] into alignment with the framework," the first official said. To that end, agencies are reviewing existing programs and regulations and in May, per the executive order, will propose prioritized actions to mitigate risks.

Critics have pointed to the framework's lack of mechanisms for measuring its effectiveness, but officials said that is one area leadership will continue to work on as organizations implement the guidelines.

"The way the framework is laid out has each individual organization developing a profile and using that to [coordinate their] next steps. So the metrics will be unique to the organization," the second official said. "There will have to be some shared understanding of how to approach the issue of metrics; it's already been identified by companies working with us as something to continue to work on in the next version of the framework. I would consider the metrics discussion to be one that evolves over time."

Incentives represent another area that remains to be determined in the coming months. Cyber insurance, federal grants, recovery assistance, public recognition, regulatory streamlining and government contracting preference are some of the areas under discussion, but some of those require statutory changes to fully implement. Officials said the hope is that market influences will provide the chief incentives.

"Government incentives are important, but the market has to drive the base for the cybersecurity framework," the first official said.

Additional incentives are expected to come from DHS in the coming months, according to Phyllis Schneck, deputy undersecretary for cybersecurity.

Schneck, speaking Feb. 12 at the Center for National Policy in Washington, D.C., said DHS would be unveiling complementary efforts to strengthen voluntary cybersecurity programs and government incentives.

"The follow-up for DHS is to ... engage government stakeholders and private-sector stakeholders to adopt the principles of the framework," Schneck said. "There will be a phase one for the voluntary program ... and as we build that out, there will be a phase two and phase three of the voluntary program as it matures. We're still working on that; we'll be working on it constantly and publicly. Privacy will be a deep part, as well as metrics and how we measure success."

Privacy was one area that insiders expected to see addressed more comprehensively since the most recent iteration of the framework was released last fall. The final version, instead of having a separate appendix addressing privacy, integrates privacy solutions throughout the framework.