White House Tasks NIST with Producing Another Cybersecurity Framework

The National Institute of Standards and Technology will work with major tech and insurance companies to create a new framework to help companies build more secure software, according to a White House release.

“The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” reads a fact sheet the administration issued following a meeting with industry leaders at the White House Wednesday. “Microsoft, Google, Travelers, and Coalition committed to participating in this NIST-led initiative.”

Voluntary NIST frameworks have been the basis of U.S. cybersecurity policy going back to 2014, and the Biden administration is committed to maintaining as much of that approach as it can amid pressure to impose cybersecurity requirements due to the increasing scale and severity of recent attacks.

“Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity,” White House Press Secretary Jen Psaki said during Wednesday’s press briefing when asked whether cybersecurity mandates might be necessary.

The administration also said it is now encouraging natural gas pipeline operators to deploy technologies that “provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities.” The effort is part of an initiative  that has “already improved the cybersecurity of more than 150 electric utilities,” according to the White House fact sheet.

Companies participating in the meeting with President Joe Biden and senior administration officials announced their intention to contribute to cybersecurity in various ways, including with training and certification programs to improve the anemic workforce. 

IBM and Google committed to assisting with the training and certification of 250,000 people over the next three years with the former planning to partner with “more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.” Microsoft also committed to “immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.”

Google and Microsoft said they would spend $10 billion and $20 billion respectively in cybersecurity over the next five years. Google said its investment would “expand zero-trust programs, help secure the software supply chain, and enhance open-source security” and Microsoft said its contribution would be to “accelerate efforts to integrate cyber security by design and deliver advanced security solutions.”

Without assigning a dollar amount, Apple committed to starting a program that will look to increase its suppliers’ adoption of multifactor authentication, security training vulnerability remediation, event logging and incident response. Amazon said it would provide free security awareness training to the public and a multifactor authentication option for customers of its web services.

The announcements drew praise from Rep. Jim Langevin, D-R.I, a member of the congressionally mandated Cyberspace Solarium Commission and a leading cybersecurity voice in Congress. “I hope [the president] will consider making this type of summit an annual affair,” he said in a release.  

The White House’s inclusion of insurance companies in Wednesday’s meeting suggests agreement with the Solarium Commission’s recommendations around the role insurers can play improving security. The issue has been controversial with federal contractors pushing back on what they perceived as efforts to mandate cyber insurance policies. 

After the meeting, cyber insurance provider Resilience announced it will look to fulfill the security role of insurers by “requiring policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.”

In remarks at the start of the meeting, Biden stressed other ways his administration is taking on cybersecurity, most notably through a May 12 executive order that will eventually require government contractors to implement certain practices. 

“Because of that order, government will only buy tech products that meet certain cybersecurity standards, which will have a ripple effect across the software industry, in our view, ultimately improving security for all Americans,” he said.