The White House has issued an executive order on cybersecurity. Now the hard work begins.
The National Institute of Standards and Technology is finalizing a series of questions for the public about how owners of financial firms, utility operators and others who own facilities deemed vital to national security, the economy or public health assess risk, incorporate standards and protect their facilities from digital assaults.
The government action follows a series of cyberattacks since September that slowed service and inconvenienced customers at some of the nation's biggest banks.
The directive that President Obama signed Tuesday authorizes NIST, the standards-setting arm of the Commerce Department, to lead development of a framework that provides "a prioritized, flexible, repeatable, performance-based, and cost-effective approach" to reduce cyber risks. The order gives NIST eight months to identify standards and guidelines for protecting critical infrastructure that cut across industries and to publish a preliminary version of a cybersecurity framework.
According to NIST, the goals of the framework-forming process will be to identify current standards and practices that can bolster cybersecurity, to identify gaps for which new or revamped standards are needed and develop plans for addressing them.
A request for information the institute published in draft form on Wednesday asks a series of roughly 33 questions that cover current risk management practices, standards and guidelines, and specific industry practices. NIST seeks comment on what organizations see as the challenges in improving digital security practices, how commenters define cybersecurity risk, and the extent to which firms incorporate such risks into company-wide management. The institute also wants to hear from companies what "critical assets" of their organizations depend on other sectors, including the financial, telecommunications, energy, water and transportation industries.
"NIST believes the diversity of business and mission needs notwithstanding, there are core cybersecurity practices that can be identified and that will be applicable to a diversity of sectors and a spectrum of quickly evolving threats," the institute wrote. "Identifying such practices will be a focus of the framework development process."
The public will have 45 days to address the questions, which NIST expects to publish imminently in final form, according to spokeswoman Jennifer Huergo.
NIST asks companies to address the applicability of existing approaches to addressing cybersecurity needs, including how such approaches could be more useful. Companies also can comment on how they use encryption, how they identify and authorize users of secure systems, the tools they use to monitor and detect cyber threats, and what risks to privacy or civil liberties they see from efforts to shore up defenses.
"We have to stitch together an inventory," Amy Mushahwar, an attorney who specializes in data security at the law firm of Ballard Spahr, told American Banker. "We don't know what we have - that's the first very important piece of this."
Mushahwar praises NIST for going beyond a prescribed set of items to delve deeply into approaches to cybersecurity. "What I really like from the request is that it goes beyond the standard inventory and compliance piece and asks about encryption and asset identification and allows companies to have a bit more of a free narrative."
According to NIST, the draft framework builds on the institute's work on cybersecurity standards for the federal government and the energy industry, where current frameworks govern both nuclear power and the smart grid. "It's clear to me that NIST will not be engaging in this exercise in a vacuum," Mushahwar added. "The president selected the entity that would mandate the standards development process in a very astute way."