The National Institute of Statistics and Technology has released its preliminary cybersecurity framework, which at its core has a "stop, drop and roll" take on threat response: "Identify, Protect, Detect, Respond, Recover."
The framework applies to critical infrastructure, including telecommunications and the other key sectors that rely on broadband network connectivity and is billed as "a common language for expressing, understanding, and managing 200 cybersecurity risk, both internally and externally." It is not meant to replace existing protections, says NIST, but to get everyone on the same page when it comes to the basics.
The report is responsive to the President's February 2013 executive order calling for "a voluntary Cybersecurity Framework that provides a 'prioritized, flexible, repeatable, performance-based and cost-effective approach' for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk," NIST says.
That order followed the failure of Congress to agree on cybersecurity legislation that would create that voluntary framework.
There will be a 45-day comment period and NIST wants plenty of input, including on whether 1) the framework can be cost-effectively implemented, 2) industry execs sufficiently understand the risks and responses, 3) it conflicts with current practices, 4) whether it is clear on protections of privacy and civil liberties, and much more.
The National Cable & Telecommunications Association — cable companies were among the stakeholders consulted for the framework — already had some input, saying the framework should rely as much as possible on existing standards.
"The cable industry is deeply committed to providing our customers with a safe and secure online experience," NCTA said in a statement. "We appreciate the collaborative efforts led by Patrick Gallagher and NIST which sought significant input from many public and private stakeholders across the critical infrastructure sectors. We look forward to a thorough evaluation of the Preliminary Cybersecurity Framework and will continue to encourage a streamlined approach that relies on existing standards and offers practical guidance for companies to improve their readiness to combat cyber threats."
In a conference call with reporters after the release of the preliminary framework — the final framework is due February 2014 — NIST Director Patrick Gallagher said the goal of the framework was to turn best practices into common and expected practices. He said there was no implied liability to companies who don't adopt the voluntary best
practices, but said he thought it would be in their own self-interest.
Gallagher recognized there would be the tension between compliance and other pressures, like time and resources, and also said he thought there would ultimately be a role for Congress in terms of incentives — there is not enforcement mechanism for the framework.
He said more than 3,000 representatives from government, industry, and academe participated in the process, saying the framework would be useless unless it was put into practice.
He described the framework as both a collection of existing standards and practices across a broad sector and a structure for organizing and using them.
What the framework does not provide, he said, was "threat-proofing." There is no magic bullet for that, he said.
Instead, it is about managing cyber risks, not eliminating them. And while the final framework is due in February, he suggested it would be a living document and evolve to meet business needs in real time, which was one of the requirements of businesses if they were going to buy into the framework.
The White House wants to hear back from federal agencies by January — the FCC cannot be held to that since it is a federal agency but will probably weigh in anyway — on what authority they think they need related to the framework.
But how does that work if the framework is not finalized until February. Adam Sedgewick, who has been leading the framework process, said that the foundation of the framework should provide enough info between now and then for them to be thinking about how they fit with the process.
Gallagher said the main difference between the preliminary framework and a draft released over the summer had to do with usability, plus an expanded section on civil liberties and privacy protections stemming from a workshop in Dallas where that was a hot topic.