Program and Project Management Study

Our Forum will conduct public/private sector collaboration to help interested parties create supplemental guidance explaining the role of program and project management relative to the creation and delivery of cyber resilient services.

Program and project management have important roles of helping underpin cyber resilience/security to protect business value. Organizations who are not taking advantage of the two may be putting their organizations at risk.  The following are the initial topics of consideration.  We are open for other useful considerations.

Topics to be addressed could include but are not limited to:

Identify Interdependence of IT service management and program, portfolio, and project management:

  • Come to an understanding of why these practices are not mutually exclusive and how they complement each other.
  • Show what needs to be done to properly integrate and align so program and project management complement each other and increase the service provider’s ability to deliver value.
  • Identify the natural touch points to the Foundation for Public Private Collaboration[1] and where integration must be accomplished.
  • Identify measurable business value.

Elements of successful project management:

  • Clarify the relationship between project management standards such as ISO 21500, bodies of knowledge such as the PMBOK®[2], including methods such as PRINCE2®[3], and the Baldrige Cybersecurity Initiative.

Project management in a ‘bi-modal’ environment:

  • Discuss importance of evaluation mechanisms for choosing between traditional vs. agile project methods, and how these methods can peacefully co-exist.

The Forum will use the broadly accepted Foundation for Public and Private Collaboration as the framework for discussion. The guidance will be a parallel document referencing this body of work to help participants operationalize outcomes.  Best practices and lessons learned will be made available to all interested parties.

A broad audience of subject matter experts have committed to participate including organizations from several critical infrastructure sectors, civilian and defense agencies, state governments and supporting not for profit associations.

The study kickoff meeting planned for the last week of February will clarify the scope and topics covered for this activity.  The Forum is accepting comments for these purposes.

[1] The Foundation for Public Private Collaboration document serves two purposes. The first as a foundation for public and private collaboration, the second as operational guidance. The Global Forum for Advanced Cyber Resilience is the custodian. A copy of the FPPC can be found here.

[2] PMBOK® is a registered trademark of Project Management Institute.

[3] Prince2® is a registered trademark of AXELOS llc.

Framework for Improving Critical Infrastructure Cybersecurity Update

DEPARTMENT OF COMMERCE National Institute of Standards and Technology Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice, request for comments. SUMMARY: The National Institute of Standards and Technology (NIST) requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (the ‘‘Framework’’). The voluntary Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments. It has been used with increasing frequency and in a variety of ways by organizations of all sizes, areas of interest, and based inside and outside the United States.

This Request for Comments (RFC) is meant to facilitate coordination with, ‘‘private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations’’ as directed by the Cybersecurity Enhancement Act of 2014.1 The proposed update to the Framework is available for review at http://www.nist.gov/cyberframework. Responses to this RFC will be posted at http://www.nist.gov/cyberframework and will inform NIST’s planned update to the Framework.

DATES: Comments must be received by 5:00 p.m. Eastern time on April 10, 2017. ADDRESSES: Written comments may be submitted by mail to Edwin Games, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to cyberframework@nist.gov in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization’s name (if any), and cite ‘‘Comments on Draft Update of the Framework for Improving Critical Infrastructure Cybersecurity’’ in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. The proposed update to the Framework is available for review at http://www.nist.gov/ cyberframework.

All comments received in response to this RFC will be posted at http:// www.nist.gov/cyberframework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.  FOR FURTHER INFORMATION CONTACT: For questions about this RFC contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482–0788, email Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST’s Office of Public Affairs at (301) 975–2762. SUPPLEMENTARY INFORMATION: The national and economic security of the United States depends on the reliable functioning of critical infrastructure,2 which has become increasingly dependent on information technology. Cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This is a long-term challenge.

The Secretary of Commerce was tasked to direct the Director of NIST to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the ‘‘Framework’’).3 The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 25, 2013 (78 FR 13024), a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013 (78 FR 64478). It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register on February 18, 2014 (79 FR 9167). Responses to subsequent RFIs, as announced through the Federal Register (79 FR 50891 and 80 FR 76934), and workshops encouraged NIST to update the Framework. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international

consensus-based standards when such international standards advance the objectives of the Cybersecurity Enhancement Act of 2014. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption. Given the diversity of sectors in the Nation’s critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure. The process also was intended to increase visibility and use of those standards and guidelines, and to find potential areas for improvement (e.g., where standards/guidelines are nonexistent) that need to be addressed through future collaboration with industry and industry-led standards bodies. While the focus of the Framework is on the Nation’s critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations. NIST has worked closely with industry groups, associations, non- profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks.

The Framework was designed as a communication tool. It is applicable for leaders at all levels of an organization. For these reasons, NIST has engaged a wide diversity of stakeholders in Framework education. NIST has also issued several RFIs, held workshops, and encouraged direct communication with potential and current users of the Framework. Based on the information received from the public via these channels and the work that it has carried out on cybersecurity—including its collaborative efforts with the private sector—NIST has developed a draft update of the Framework (termed ‘‘Version 1.1’’ or ‘‘V1.1’’), available at http://www.nist.gov/cyberframework. This draft update seeks to clarify, refine, and enhance the Framework, and make it easier to use, while retaining its flexible, voluntary, and cost-effective nature. The update also will be fully compatible with the February 2014 version of the Framework in that either version may be used by organizations without degrading communication or functionality.

Request for Comments NIST is soliciting public comments on this proposed update. Specifically, NIST is interested in comments that address updated features of the Framework. These features seek to: • Clarify Implementation Tier use and relationship to Profiles, • Enhance guidance for applying the Framework for supply chain risk management, • Provide guidance on metrics and measurements using the Framework, • Update the FAQs to support understanding and use of Framework, and • Update the Informative References. NIST also will consider comments on other aspects of the Framework update. All comments will be made available to the public. These comments will be analyzed and will be one focus of a public workshop to be held in May 2017.

Details about that workshop, which also will feature user experiences with the Framework, will be announced on the NIST Cybersecurity Framework Web site at: https://www.nist.gov/ cyberframework. To receive notice about the workshop, please contact: cyberframework@nist.gov. After the May 2017 workshop and considering the comments received on this draft update, NIST intends to issue a final version of Framework V1.1 along with an updated Roadmap4 document that describes recommended activities in work areas that are related and complimentary to the Framework. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2017–01599 Filed 1–24–17; 8:45 am] BILLING CODE 3510–13–P

1 See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity Enhancement Act of 2014 (S.1353) became public law 113–274 on December 18, 2014.

2 For the purposes of this RFC the term ‘‘critical infrastructure’’ has the meaning given the term in 42 U.S.C. 5195c(e): ‘‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.’’ 3See Executive Order 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013),

 

Cybersecurity Framework 1.1 Draft

The NIST Released its Cybersecurity Framework 1.1 draft today and you can find it here found here.

NIST Cybersecurity Framework Draft 1.1
Cybersecurity Framework 1.1 with comments
Cybersecurity Framework 1.1 draft excel

From Cybersecurity Framework 1.1 Draft

The draft Version 1.1 of Cybersecurity Framework refines, clarifies, and enhances the predecessor version 1.0 Version 1.1 can be implemented by first time and current Framework users. Current users can implement Version 1.1 with minimal or no disruption, as refinements were made with the objective of being compatible with Version 1.0. As with Version 1.0, use of the Version 1.1 is voluntary.  Users of Version 1.1 are invited to customize the Framework to maximize organizational value. The impetus to change and the proposed changes were collected from:

• Feedback and frequently asked questions to NIST since release of Framework Version 1.0 in February 2014,
• 105 responses to the December 2015 request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity, and
• Comments provided by approximately 800 attendees at a workshop held in Gaithersburg, Maryland on April 6-7, 2016. In addition, NIST previously released Version 1.0 of the Cybersecurity Framework with a companion document, NIST Roadmap for Improving Critical Infrastructure Cybersecurity. This Roadmap highlighted key “areas of improvement” for further “development, alignment, and collaboration.”  Through both private and public sector efforts, some areas of improvement have advanced enough to be included in the Framework Version 1.1

itSMF USA Event

itSMF USA Advancing Cyber Resilience through Collaboration
itSMF USA FUSION16
Las Vegas, NV  November 02,
Experience Level: Advanced
This was a great success. There was a mix of people representing the government and private organizations, big and small participating. This was perfect for our value proposition.
The disconnection between ITSM and cyber resilience efforts across all sectors was obvious. Understanding this leads to great opportunity.
The focus of our session was to help identify the people who need to be at the table during the strategy phase of a product or service along with the value of collaboration. The attendees were left hungry for more time on the topic.
Advancing cyber resilience and business value through collaboration is a great opportunity.
We are excited to see our review of this session:
Average Overall Scores: 1 - 5
· Overall this session was: 5
· Speaker(s) expertise/knowledge of subject: 5
· Speaker(s) presentation skills: 5
· Value of Q&A segment: 5 - Practicality: 5
· Compliance with non-commercialism policy: 5
· Should this session be repeated next year: 100%
· Would you recommend this speaker for future events: 100%
· Was the session content what you thought it would be: 100%

charlie tupitza joan coolidge

Program Management Act Passes

Program Management Improvement Accountability Act
Signed into law 12/14/2016.

Summary Here
Public Law No: 114-264 (12/14/2016)

(This measure has not been amended since it was passed by the House on September 22, 2016. The summary of that version is repeated here.)

(Sec. 2) This bill establishes as additional functions of the Deputy Director for Management of the Office of Management and Budget (OMB) requirements to:

  • adopt and oversee implementation of government-wide standards, policies, and guidelines for program and project management for executive agencies;
  • chair the Program Management Policy Council (established by this Act);
  • establish standards and policies for executive agencies consistent with widely accepted standards for program and project management planning and delivery;
  • engage with the private sector to identify best practices in program and project management that would improve federal program and project management;
  • conduct portfolio reviews to address programs identified as high risk by the Government Accountability Office (GAO);
  • conduct portfolio reviews of agency programs at least annually to assess the quality and effectiveness of program management; and
  • establish a five-year strategic plan for program and project management.

The bill exempts the Department of Defense (DOD) from such provisions to the extent that they are substantially similar to: (1) federal provisions governing the defense acquisition workforce; or (2) policy, guidance, or instruction of DOD related to program management.

The head of each federal agency that is required to have a Chief Financial Officer shall designate a Program Management Improvement Officer to implement agency program management policies and develop a strategy for enhancing the role of program managers within the agency. The OMB must submit a report containing such strategy within one year after enactment of this bill. The Under Secretary of Defense for Acquisition, Technology, and Logistics shall be considered the Program Management Improvement Officer for DOD.

The Program Management Policy Council is established within OMB to act as the principal interagency forum for improving agency practices related to program and project management.

The Office of Personnel Management must issue regulations that: (1) identify key skills and competencies needed for an agency program and project manager, (2) establish a new job series or update and improve an existing job series for program and project management within an agency, and (3) establish a new career path for program and project managers.

The GAO must issue a report within three years of enactment, in conjunction with its high risk list, examining the effectiveness of the following (as required or established under this Act) on improving federal program and project management:

  • the standards, policies, and guidelines for program and project management;
  • the strategic plan;
  • Program Management Improvement Officers; and
  • the Program Management Policy Council.

——–The ACT ———————-

To amend title 31, United States Code, to establish entities tasked with improving program and project management in certain Federal agencies, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled

SECTION 1. Short title.

Program Management Improvement Accountability Act

SEC. 2. Project Management.

(a) Deputy director for management.—

(1) ADDITIONAL FUNCTIONS.—Section 503 of title 31, United States Code, is amended by adding at the end the following:

(c) Program and project management.—

president of the united states
Office of the President

(1) REQUIREMENT.—Subject to the direction and approval of the Director, the Deputy Director for Management or a designee shall—

(A) adopt government wide standards, policies, and guidelines for program and project management for executive agencies;

(B) oversee implementation of program and project management for the standards, policies, and guidelines established under subparagraph (A);

(C) chair the Program Management Policy Council established under section 1126(b);

(D) establish standards and policies for executive agencies, consistent with widely accepted standards for program and project management planning and delivery;

(E) engage with the private sector to identify best practices in program and project management that would improve Federal program and project management;

(F) conduct portfolio reviews to address programs identified as high risk by the Government Accountability Office;

(G) not less than annually, conduct portfolio reviews of agency programs in coordination with Project Management Improvement Officers designated under section 1126(a)(1) to assess the quality and effectiveness of program management; and

(H) establish a 5-year strategic plan for program and project management.

(2) APPLICATION TO DEPARTMENT OF DEFENSE.—Paragraph (1) shall not apply to the Department of Defense to the extent that the provisions of that paragraph are substantially similar to or duplicative of—

(A) the provisions of chapter 87 of title 10; or

(B) policy, guidance, or instruction of the Department related to program management..

(2) DEADLINE FOR STANDARDS, POLICIES, AND GUIDELINES.—Not later than 1 year after the date of enactment of this Act, the Deputy Director for Management of the Office of Management and Budget shall issue the standards, policies, and guidelines required under section 503(c) of title 31, United States Code, as added by paragraph (1).

(3) REGULATIONS.—Not later than 90 days after the date on which the standards, policies, and guidelines are issued under paragraph (2), the Deputy Director for Management of the Office of Management and Budget, in consultation with the Program Management Policy Council established under section 1126(b) of title 31, United States Code, as added by subsection (b)(1), and the Director of the Office of Management and Budget, shall issue any regulations as are necessary to implement the requirements of section 503(c) of title 31, United States Code, as added by paragraph (1).

(b) Program management improvement officers and program management policy council.—

(1) AMENDMENT.—Chapter 11 of title 31, United States Code, is amended by adding at the end the following:

§ 1126. Program management improvement officers and program management policy council

(a) Program management improvement officers.—

(1) DESIGNATION.—The head of each agency described in section 901(b) shall designate a senior executive of the agency as the Program Management Improvement Officer of the agency.

(2) FUNCTIONS.—The Program Management Improvement Officer of an agency designated under paragraph (1) shall—

(A) implement program management policies established by the agency under section 503(c); and

(B) develop a strategy for enhancing the role of program managers within the agency that includes the following:

(i) Enhanced training and educational opportunities for program managers that shall include—

(I) training in the relevant competencies encompassed with program and project manager within the private sector for program managers; and

(II) training that emphasizes cost containment for large projects and programs.

(ii) Mentoring of current and future program managers by experienced senior executives and program managers within the agency.

(iii) Improved career paths and career opportunities for program managers.

(iv) A plan to encourage the recruitment and retention of highly qualified individuals to serve as program managers.

(v) Improved means of collecting and disseminating best practices and lessons learned to enhance program management across the agency.

(vi) Common templates and tools to support improved data gathering and analysis for program management and oversight purposes.

(3) APPLICATION TO DEPARTMENT OF DEFENSE.—This subsection shall not apply to the Department of Defense to the extent that the provisions of this subsection are substantially similar to or duplicative of the provisions of chapter 87 of title 10. For purposes of paragraph (1), the Under Secretary of Defense for Acquisition, Technology, and Logistics (or a designee of the Under Secretary) shall be considered the Program Management Improvement Officer.

(b) Program management policy council.—

(1) ESTABLISHMENT.—There is established in the Office of Management and Budget a council to be known as the ‘Program Management Policy Council’ (in this subsection referred to as the ‘Council’).

(2) PURPOSE AND FUNCTIONS.—The Council shall act as the principal interagency forum for improving agency practices related to program and project management. The Council shall—

(A) advise and assist the Deputy Director for Management of the Office of Management and Budget;

(B) review programs identified as high risk by the General Accountability Office and make recommendations for actions to be taken by the Deputy Director for Management of the Office of Management and Budget or a designee;

(C) discuss topics of importance to the workforce, including—

(i) career development and workforce development needs;

(ii) policy to support continuous improvement in program and project management; and

(iii) major challenges across agencies in managing programs;

(D) advise on the development and applicability of standards government wide for program management transparency; and

(E) review the information published on the website of the Office of Management and Budget pursuant to section 1122.

(3) MEMBERSHIP.—

(A) COMPOSITION.—The Council shall be composed of the following members:

(i) Five members from the Office of Management and Budget as follows:

(I) The Deputy Director for Management.

(II) The Administrator of the Office of Electronic Government.

(III) The Administrator of Federal Procurement Policy.

(IV) The Controller of the Office of Federal Financial Management.

(V) The Director of the Office of Performance and Personnel Management.

(ii) The Program Management Improvement Officer from each agency described in section 901(b).

(iii) Any other full-time or permanent part-time officer or employee of the Federal Government or member of the Armed Forces designated by the Chairperson.

(B) CHAIRPERSON AND VICE CHAIRPERSON.—

(i) IN GENERAL.—The Deputy Director for Management of the Office of Management and Budget shall be the Chairperson of the Council. A Vice Chairperson shall be elected by the members and shall serve a term of not more than 1 year.

(ii) DUTIES.—The Chairperson shall preside at the meetings of the Council, determine the agenda of the Council, direct the work of the Council, and establish and direct subgroups of the Council as appropriate.

(4) MEETINGS.—The Council shall meet not less than twice per fiscal year and may meet at the call of the Chairperson or a majority of the members of the Council.

(5) SUPPORT.—The head of each agency with a Project Management Improvement Officer serving on the Council shall provide administrative support to the Council, as appropriate, at the request of the Chairperson..

(2) REPORT REQUIRED.—Not later than 1 year after the date of enactment of this Act, the Director of the Office of Management and Budget, in consultation with each Program Management Improvement Officer designated under section 1126(a)(1) of title 31, United States Code, shall submit to Congress a report containing the strategy developed under section 1126(a)(2)(B) of such title, as added by paragraph (1).

(c) Program and project management personnel standards.—

(1) DEFINITION.—In this subsection, the term agency means each agency described in section 901(b) of title 31, United States Code, other than the Department of Defense.

(2) REGULATIONS REQUIRED.—Not later than 180 days after the date on which the standards, policies, and guidelines are issued under section 503(c) of title 31, United States Code, as added by subsection (a)(1), the Director of the Office of Personnel Management, in consultation with the Director of the Office of Management and Budget, shall issue regulations that—

(A) identify key skills and competencies needed for a program and project manager in an agency;

(B) establish a new job series, or update and improve an existing job series, for program and project management within an agency; and

(C) establish a new career path for program and project managers within an agency.

(d) Gao report on effectiveness of policies on program and project management.—Not later than 3 years after the date of enactment of this Act, the Government Accountability Office shall issue, in conjunction with the High Risk list of the Government Accountability Office, a report examining the effectiveness of the following on improving Federal program and project management:

(1) The standards, policies, and guidelines for program and project management issued under section 503(c) of title 31, United States Code, as added by subsection (a)(1).

(2) The 5-year strategic plan established under section 503(c)(1)(H) of title 31, United States Code, as added by subsection (a)(1).

(3) Program Management Improvement Officers designated under section 1126(a)(1) of title 31, United States Code, as added by subsection (b)(1).

(4) The Program Management Policy Council established under section 1126(b)(1) of title 31, United States Code, as added by subsection (b)(1).

 

 

 

Presidents Commission Cybersecurity

The Presidents Commission on Enhancing National Cybersecurity Report on Securing and Growing the Digital Economy has been released and can be found here: presidents-cybersecurity_report

Executive Summary

Presidents Commission Enhancing National Cybersecurity

Recognizing the extraordinary benefit interconnected technologies bring to our digital economy—and equally mindful of the accompanying challenges posed by threats to the security of the cyber landscape—President Obama established this Commission on Enhancing National Cybersecurity. He directed the Commission to assess the state of our nation’s cybersecurity, and he charged this group with developing actionable recommendations for securing the digital economy. The President asked that this enhanced cybersecurity be achieved while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the discovery and development of new technical solutions.

Presidents Commission on Cybersecurity
Presidents Commission on Enhancing National Cybersecurity

The interconnectedness and openness made possible by the Internet and broader digital ecosystem create unparalleled value for society. But these same qualities make securing today’s cyber landscape difficult. As the world becomes more immersed in and dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices. Recent attacks in which everyday consumer devices were compromised for malicious use have made it abundantly clear that we now live in a much more interdependent world. The once-bright line between what is critical infrastructure and everything else becomes more blurred by the day.

While the threats are real, we must keep a balanced perspective. We should be able to reconcile security with innovation and ease of use. The Internet is one of the most powerful engines for social change and economic prosperity. We need to preserve those qualities while hardening it and making it more resilient against attack and misuse. Changes in policies, technologies, and practices must build on the work begun by the private sector and government, especially over the past several years, to address these issues.

Our commitment to cybersecurity must match our commitment to innovation. If our digital economy is to thrive, it must be secure. That means that every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must also have greater

accountability and responsibility for their own security, which, as we now know all too well, directly impacts the cybersecurity of our country.

From its inception, this nonpartisan Commission developed a report directed both to President Obama and to the President- elect. The Commissioners, who possess a range of expertise relating to cybersecurity, reviewed past reports and consulted with technical and policy experts. The Commission held public hearings, issued an open solicitation for input, and also invited the public at large to share facts and views. It devoted attention to areas including critical infrastructure, the Internet of Things (IoT), research and development (R&D), public awareness and education, governance, workforce, state and local issues, identity management and authentication, insurance, international issues and the role of small and medium-sized businesses.

The Commission identified and considered broader trends affecting each of these topics, notably the convergence of information technologies and physical systems, risk management, privacy and trust, global versus national realms of influence and controls, the effectiveness of free markets versus regulatory regimes and solutions, legal and liability considerations, the importance and difficulty of developing meaningful metrics

for cybersecurity, automated technology–based cybersecurity approaches, and consumer responsibilities. In these areas and others, the Commissioners examined what is working well, where the challenges exist, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors.

There was much to readily agree on, including the growing convergence and interdependencies of our increasingly connected world; the need for greater awareness, education, and active stakeholder engagement in all aspects of cybersecurity, from developers and service providers to policy makers and consumers; the ways in which small- and medium-sized companies face additional pressures and limitations in addressing cybersecurity and the importance of remedying that situation, especially in light of their role in the supply chain; and the need, from both operational and mission perspectives, to clarify the federal government’s roles and responsibilities.

It was also evident that most solutions require joint public– private action. Every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must be equipped to understand the role they play in their own security and how their actions directly impact the cybersecurity of the nation more broadly.

Other areas required more consideration:

  • how best to incentivize appropriate cybersecurity behaviors and actions and how to determine if or when requirements are called for;
  • who should lead in developing some of the most urgently needed standards and how best to assess whether those standards are being met;
  • what is the feasibility of better informing consumers, for example, through labeling and rating systems;
  • which kinds of research and development efforts are most needed and at what cost;
  • how to project the right number of new cybersecurity professionals our economy needs and how to choose among different approaches for attracting and training the workforce at all levels; and,
  • what the roles and relationships of senior federal officials should be and how best to ensure that they not only have the right authorities but are empowered to take the appropriate actions.

From these discussions, some firm conclusions emerged. Partnerships—between countries, between the national government and the states, between governments at all levels and the private sector—are a powerful tool for encouraging the technology, policies, and practices we need to secure and grow the digital economy. The Commission asserts that the joint collaboration between the public and private sectors before, during, and after a cyber event must be strengthened. When it comes to cybersecurity, organizations cannot operate in isolation.

Resilience must be a core component of any cybersecurity strategy; today’s dynamic cyber threat environment demands a risk management approach for responding to and recovering from an attack.

After building on those points of agreement and identifying foundational principles, the Commissioners organized their

findings into six major imperatives, which together contain a total of 16 recommendations and 53 associated action items.

The imperatives are:

  1. Protect, defend, and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive, and secure global digital economy.

A table detailing these imperatives and their associated recommendations and action items is included in Appendix 1. The groupings should not be viewed as distinct and isolated categories; indeed, a number of recommendations apply to more than the imperative under which they first appear. The text notes when action items are particularly relevant to other imperatives. This structure reflects the interdependent nature of our digital economy, where steps taken to improve the cybersecurity of one enterprise can meaningfully improve the posture and preparedness of others.

Each recommendation is designed to have a major impact, and each action item is meant as a concrete step toward achieving that impact. Many require a commitment of financial resources far above the level we see today. Some are directed at government, some at the private sector, and many at both. Some call for entirely new initiatives, while others call for building on promising efforts currently under way.

Acknowledging the urgency of the challenges facing our nation, the Commission determined that most recommendations can and should begin in the near term, with many meriting action within the first 100 days of the new Administration. All of these recommendations and actions highlight the need for the private sector, government, and American public to recognize cybersecurity as an integral part of our welfare with serious implications for our country’s national and economic security and our prospects to maintain a free and open society.

FCC Privacy Rules Released

FCC Privacy of Customers Rules for Telecommunications Released

Find FCC privacy rules here: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

SUMMARY : In this document, the Federal Communications Commission (Commission) adopts final rules based on public comments applying the privacy requirements of the Communications Act of 1934, as amended, to broadband Internet access service (BIAS) and other telecommunications services. In adopting these rules the Commission implements the statutory requirement that telecommunications carriers protect the confidentiality of customer proprietary information.

The privacy framework in these rules focuses on transparency, choice, and data security, and provides heightened protection for sensitive customer information, consistent with customer expectations.

fcc privacy rules federal communications commission
Federal Trade Commission Privacy Ruling

The rules require carriers to provide privacy notices that clearly and accurately inform customers; obtain opt- in or opt-out customer approval to use and share sensitive or non-sensitive customer proprietary information, respectively; take reasonable measures to secure customer proprietary information; provide notification to customers, the Commission, and law enforcement in the event of data breaches that could result in harm; not condition provision of service on the surrender of privacy rights; and provide heightened notice and obtain affirmative consent when offering financial incentives in exchange for the right to use a customer’s confidential information.

The Commission also revises its current telecommunications privacy rules to harmonize today’s privacy rules for all telecommunications carriers, and provides a tailored exemption from these rules for enterprise customers of telecommunications services other than BIAS.

FCC Privacy Ruling Effect on State law.

The rules set forth in this subpart shall preempt any State law only to the extent that such law is inconsistent with the rules set forth herein and only if the Commission has affirmatively determined that the State law is preempted on a case-by-case basis. The Commission shall not presume that more restrictive State laws are inconsistent with the rules set forth herein.

National Cybersecurity Policy Forum

The National Cybersecurity Policy Forum is having an event 6 December 2016 at the National Press Club.

Find registration information and agenda here.

U.S. Commerce Secretary Penny Pritzker will deliver the keynote address at the eighth USTelecom National Cybersecurity Policy Forum. Join us for a discussion of cyber policy initiatives that continue to enhance our

nation’s defenses against an array of adversaries. The Secretary will

commerce secritary penny pritzker
Secretary Penny Pritzker

discuss a report by the President’s Commission on Enhancing National Cybersecurity.

Commissioned by the President and the Department of Commerce, the 2016 Cybersecurity Commission Policy Report sets the stage for consideration of national priorities in the cybersecurity policy arena. This event will feature industry and government officials talking about ongoing work opportunities ahead to defend against the growing speed and complexity of cyber attacks.

Keynote
Penny Pritzker, Secretary, U.S. Department of Commerce

Panel One: Cyber Readiness: Government Perspective
Moderator: Tim Starks, Politico Pro journalist and author of Morning Cybersecurity
Panelists: Clete Johnson, Senior Policy Advisor on Cybersecurity to Secretary of the U.S Department of Commerce
Cherilyn Pascoe, Professional Staff Member and Investigator, U.S. Senate Committee on Commerce, Science and Transportation
Kiersten Todt, Executive Director, President’s Commission on Enhancing National Cybersecurity

Panel Two: Industry Collaboration on Cyber Preparedness
Moderator: Joseph Marks, cybersecurity reporter, NextGov
Panelists: Scott Aaronson, Executive Managing Director, Electric Edison Institute
Christopher Boyer, Assistant Vice President, Global Policy, AT&T
Larry Clinton, President, Internet Security Alliance
Heather Hogsett, Vice President of Technology and Risk Strategy, Financial Services Roundtable/BITS
Ola Sage, CEO E-Management and Chair of the IT Sector Coordinating Council