The daily news stories about stolen user information and intellectual property from both private and public organizations makes cyber security top of mind for most senior leaders.
There is little distinction between the public and private sectors when it comes to cyber security; Compromised data affects any organization’s ability to perform its mission and serve its customers. It can also destroy an organization’s long term sustainability.
Recent Executive Order included a number of initiatives targeting US Federal Departments and Agencies:
- Placing the responsibility for cyber security risk on the heads of federal agencies
- Calling for a report on cyber security concerns facing critical infrastructure to be drafted within six months
- Mandating government agencies, especially those in the civilian sector, consider opportunities to share cyber technology when feasible, a shared services approach to cyber
Additionally, the National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) or “sensitive but unclassified” information in Nonfederal Information Systems and organizations in June 2015.
The goal of 800-171 is to provide direction to federal agencies to ensure that sensitive federal data and information is protected when processed, stored, and used outside of the federal government in non-federal information systems. More broadly, the controls specified in 800-171 will need to be addressed in those IT systems that store any CUI or sensitive but unclassified information provided by the federal government.
Private corporations that hold such information are expected to implement the controls in 800-171 by the end of 2017.
Forums action for cyber security
Couple the above with the fact that those who perpetrate cyber-attacks are constantly adjusting their tactics and using ever more sophisticated approaches, there is a great deal of urgency both in the public and private sectors to act in timely, reasonable, and prudent ways to protect both public and private information systems.
For companies not directly affected by 800-171, there is no less urgency due to the reputation risks associated with information security breaches or the stealing of their proprietary designs, algorithms, product plans, etc. (Example: The recent Equifax breach)
The NFPPC felt given the above, cyber security/resilience is both timely and necessary as the focus of our first public-private collaboration. We will focus the collaboration so as to determine what this means to any size organization such that they understand what they need to do to improve their cyber resilience.