Twelve months ago, the President laid out an exceptional challenge for the federal government: to develop a framework of best practices and standards to help the critical infrastructure sector improve its cybersecurity, while protecting privacy and civil liberties, based on the thinking of the best minds in industry, academia, and advocacy groups.
Twelve months may seem like a long time, but for an issue as complex as cybersecurity that touches, well, everybody, this was an extraordinary goal. But there was no question that we had to rise to this challenge, because near-term action was critical to shoring up our collective defenses against increasing cyber-based threats to our critical infrastructure, our economy, our personal information, and indeed the way we operate on the internet every day. And we have had continued reminders of the urgent need to increase our cyber protections over the course of the past year, as news reports of data breaches and denial of service attacks have become more frequent.
Well, I’m proud to say that we – collectively – have done it. After a year-long sprint, the Department of Commerce’s National Institute of Standards and Technology (NIST) published the finalized version of the first Framework for Improving Critical Infrastructure Cybersecurity on February 12. And we are seeing very positive responses just a week after the release. Businesses, state government, advocacy groups, and even foreign partners have come out to support the Framework and recognize the importance of this initial step on the road to improved cybersecurity. Companies have begun to use the framework to aid in communication with their Boards and C-suites and have told us that it can provide a valuable tool to communicate security requirements with their supply chain. And we are gratified that others are enthusiastic as well.
I’m not going to go into too many details of what’s in the Framework; you can read about that on NIST’s website and you can read about our program to support voluntary adoption on DHS’s website. And of course, you can read the President’s statement about the Cybersecurity Framework, and the White House press release to find out more.
Instead, what I want to emphasize here are four key points:
- The Framework is exactly that – a framework. It provides a common language and systematic methodology for managing cyber risk. It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for cybersecurity. No single document could try to do that and be useful across all 16 critical infrastructure sectors, all sizes and types of organizations, and all in operating environments. But we should not underestimate the power of a common lexicon to enable action across a very diverse set of stakeholders. That’s what will enable the best practices of elite companies to become the standard practices for everyone.
- The Framework is a first step. Although we have released the first version, we expect more in the future as our cybersecurity improves. The Framework is intended to be a living document that the stakeholder community updates over time as we learn from implementation, and as technology and risks change. That’s another reason why the Framework focuses on the questions an organization needs to ask to manage its cyber risk. The practices, technology, and standards will change over time – the questions won’t.
- We are encouraging voluntary adoption of the Framework. The Framework is a flexible, highly adaptable document, and its adoption will be market-driven. As a nation, we need to improve cyber protections across the broadest set of stakeholders possible to achieve the collective benefit of security for all. The fastest way to do this is through relentlessly encouraging, helping and, where possible, incentivizing, voluntary adoption.
- This is a strong public-private partnership. Cyber is a team sport, and we need everyone on the field playing their part. In fact, no single organization or sector or group can solve these challenges. The open and collaborative process that we used to develop the Framework represents a good, repeatable process for developing public policy on complex, pervasive technical issues.
As with all things involving security, we will never be “done” working to make improvements. But there are some key next steps where DHS and NIST need your help:
- We need you to kick the tires. We need organizations to begin using the Framework and see how well it can work for different sizes and types of organizations.
- We need your feedback to make the Framework better. We need you to share your experience with us on how using the Framework worked – or didn’t work – for your organization. Feedback is essential to improving the Framework and making it better in future versions.
- In short, we need your continued engagement. The Framework is intended to be a living document. We need your collective experience and knowledge to make it better over time.
I want to conclude by thanking our government team for what has been a truly remarkable effort over the past 12 months. But even more, I want to thank our partners in industry, academia, state and local government, and advocacy groups for their thoughtful engagement in this process. I look forward to continuing to work with all of you to make our shared cyber ecosystem more secure.
Michael Daniel is Special Assistant to the President and the Cybersecurity Coordinator.