Why are you starting with Cyber Security?

The daily news stories about stolen user information and intellectual property from both private and public organizations makes cyber security top of mind for most senior leaders.

There is little distinction between the public and private sectors when it comes to cyber security; Compromised data affects any organization’s ability to perform its mission and serve its customers.  It can also destroy an organization’s long term sustainability.

Recent Executive Order included a number of initiatives targeting US Federal Departments and Agencies:

  • Placing the responsibility for cyber security risk on the heads of federal agencies
  • Calling for a report on cyber security concerns facing critical infrastructure to be drafted within six months
  • Mandating government agencies, especially those in the civilian sector, consider opportunities to share cyber technology when feasible, a shared services approach to cyber

Additionally, the National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) or “sensitive but unclassified” information in Nonfederal Information Systems and organizations in June 2015.

The goal of 800-171 is to provide direction to federal agencies to ensure that sensitive federal data and information is protected when processed, stored, and used outside of the federal government in non-federal information systems. More broadly, the controls specified in 800-171 will need to be addressed in those IT systems that store any CUI or sensitive but unclassified information provided by the federal government[1].

Private corporations that hold such information are expected to implement the controls in 800-171 by the end of 2017.

Forums action for cyber security

Couple the above with the fact that those who perpetrate cyber-attacks are constantly adjusting their tactics and using ever more sophisticated approaches, there is a great deal of urgency both in the public and private sectors to act in timely, reasonable, and prudent ways to protect both public and private information systems.

For companies not directly affected by 800-171, there is no less urgency due to the reputation risks associated with information security breaches or the stealing of their proprietary designs, algorithms, product plans, etc. (Example: The recent Equifax breach)

The NFPPC felt given the above, cyber security/resilience is both timely and necessary as the focus of our first public-private collaboration.  We will focus the collaboration so as to determine what this means to any size organization such that they understand what they need to do to improve their cyber resilience.

[1] https://www.hitachi-systems-security.com/nist-800-171-assessment/

Framework for Improving Critical Infrastructure Cybersecurity Update

DEPARTMENT OF COMMERCE National Institute of Standards and Technology Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice, request for comments. SUMMARY: The National Institute of Standards and Technology (NIST) requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (the ‘‘Framework’’). The voluntary Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments. It has been used with increasing frequency and in a variety of ways by organizations of all sizes, areas of interest, and based inside and outside the United States.

This Request for Comments (RFC) is meant to facilitate coordination with, ‘‘private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations’’ as directed by the Cybersecurity Enhancement Act of 2014.1 The proposed update to the Framework is available for review at http://www.nist.gov/cyberframework. Responses to this RFC will be posted at http://www.nist.gov/cyberframework and will inform NIST’s planned update to the Framework.

DATES: Comments must be received by 5:00 p.m. Eastern time on April 10, 2017. ADDRESSES: Written comments may be submitted by mail to Edwin Games, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to cyberframework@nist.gov in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization’s name (if any), and cite ‘‘Comments on Draft Update of the Framework for Improving Critical Infrastructure Cybersecurity’’ in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. The proposed update to the Framework is available for review at http://www.nist.gov/ cyberframework.

All comments received in response to this RFC will be posted at http:// www.nist.gov/cyberframework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.  FOR FURTHER INFORMATION CONTACT: For questions about this RFC contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482–0788, email Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST’s Office of Public Affairs at (301) 975–2762. SUPPLEMENTARY INFORMATION: The national and economic security of the United States depends on the reliable functioning of critical infrastructure,2 which has become increasingly dependent on information technology. Cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This is a long-term challenge.

The Secretary of Commerce was tasked to direct the Director of NIST to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the ‘‘Framework’’).3 The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 25, 2013 (78 FR 13024), a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013 (78 FR 64478). It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register on February 18, 2014 (79 FR 9167). Responses to subsequent RFIs, as announced through the Federal Register (79 FR 50891 and 80 FR 76934), and workshops encouraged NIST to update the Framework. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international

consensus-based standards when such international standards advance the objectives of the Cybersecurity Enhancement Act of 2014. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption. Given the diversity of sectors in the Nation’s critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure. The process also was intended to increase visibility and use of those standards and guidelines, and to find potential areas for improvement (e.g., where standards/guidelines are nonexistent) that need to be addressed through future collaboration with industry and industry-led standards bodies. While the focus of the Framework is on the Nation’s critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations. NIST has worked closely with industry groups, associations, non- profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks.

The Framework was designed as a communication tool. It is applicable for leaders at all levels of an organization. For these reasons, NIST has engaged a wide diversity of stakeholders in Framework education. NIST has also issued several RFIs, held workshops, and encouraged direct communication with potential and current users of the Framework. Based on the information received from the public via these channels and the work that it has carried out on cybersecurity—including its collaborative efforts with the private sector—NIST has developed a draft update of the Framework (termed ‘‘Version 1.1’’ or ‘‘V1.1’’), available at http://www.nist.gov/cyberframework. This draft update seeks to clarify, refine, and enhance the Framework, and make it easier to use, while retaining its flexible, voluntary, and cost-effective nature. The update also will be fully compatible with the February 2014 version of the Framework in that either version may be used by organizations without degrading communication or functionality.

Request for Comments NIST is soliciting public comments on this proposed update. Specifically, NIST is interested in comments that address updated features of the Framework. These features seek to: • Clarify Implementation Tier use and relationship to Profiles, • Enhance guidance for applying the Framework for supply chain risk management, • Provide guidance on metrics and measurements using the Framework, • Update the FAQs to support understanding and use of Framework, and • Update the Informative References. NIST also will consider comments on other aspects of the Framework update. All comments will be made available to the public. These comments will be analyzed and will be one focus of a public workshop to be held in May 2017.

Details about that workshop, which also will feature user experiences with the Framework, will be announced on the NIST Cybersecurity Framework Web site at: https://www.nist.gov/ cyberframework. To receive notice about the workshop, please contact: cyberframework@nist.gov. After the May 2017 workshop and considering the comments received on this draft update, NIST intends to issue a final version of Framework V1.1 along with an updated Roadmap4 document that describes recommended activities in work areas that are related and complimentary to the Framework. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2017–01599 Filed 1–24–17; 8:45 am] BILLING CODE 3510–13–P

1 See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity Enhancement Act of 2014 (S.1353) became public law 113–274 on December 18, 2014.

2 For the purposes of this RFC the term ‘‘critical infrastructure’’ has the meaning given the term in 42 U.S.C. 5195c(e): ‘‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.’’ 3See Executive Order 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013),


Commerce Secretary on Collaboration

Our forum likes the speech the Commerce Secretary Penny Pritzker gave at the US Chamber of Commerce Cyber Security Summit Tuesday.

” Even though the internet is now ubiquitous in our lives Cyber is the only domain where we ask private companies to defend themselves against Russian, China, Iran, and other nation states. …..

Commerce Secretary penny pritzker
Commerce Secretary Penny Pritzker

Government has a solemn obligation   to protect our people against systemic threats to our national and economic security.

Cyber attacks can not be handled exclusively by our governments law enforcement, military and intelligent services, nor are federal regulations able to keep pace with ever evolving cyber threats. ….

Through  law and rule making congress and federal agencies intact solutions for our nations challenges Companies then react with compliance. ……

But laws and regulations alone cannot protect us from the emerging cyber threats….

Our cyber advisories constantly deploy new and evolving methods to exploit vulnerability’s and inflict harm on our country……

Just weeks ago the Pegasus attack represented an unprecedented attack on Apples iOS platform. No static checklist, no agency role, no reactive regulation alone is capable of thwarting a threat we can not foresee.

The federal government cannot regulate cyber risk out of existence.  What we can do is work with you. Business leaders, technical experts and cybersecurity professionals, to better manage cyber risk.

Commerce believes this requires a new proactive collaborative approach between government and industry. One not reliant on static requirements but on vigilant continuous cyber risk management.

We need is a joint defense posture with real public private partnerships.

These are nice words but actually how do we turn them into action and reliable protection.

We need government and industry to speak the same language of cyber risk because we can not work together without understanding each other.

We new laws to facilitate continuous candid collaboration between industries and agencies outside of the enforcement space.

We need to work together to counter threats and deploy technical solutions that bake securities into innovation.

The Cyber Security Framework is the primary tool to evaluate cyber security posture…

Last month the FTC used the Cyber Security Framework lexicon of Identify, Protect, Detect, Respond, and Recover. The FTC detailed over 60 enforcement actions for data-breaches in a manor that CEO’s and CIOS can easily plug them into their own operations to improve their cyber security…….”

Commerce Secretary, Penny Pritzker 27 September 2016
US Chamber of Commerce Annual Cyber Security Summit





Most Ambitious Work

Commerce Deputy Secretary Bruce Andrews.  Characterized the telecommunication sector’s work on CSRIC WG4 recommendations as “the most ambitious real-world application of the Cybersecurity Framework developed thus far”.

Bruce Andrews Commerce Department
Bruce Andrews

We are happy to have the co-chair of this effort Robert Mayer on our Board of Advisors from the USTelecom Association.