Last year, we published reports by DHS, Commerce, and Treasury identifying potential incentives that could increase use of the Cybersecurity Framework. Since then, we have worked with the private sector to better understand how the Framework is being used and the most appropriate role for government to play in increasing its use.
Based on feedback we have received from the community on using the Framework, we believe that the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices. We have heard from multiple industry representatives that securing their information is in the best interest of their companies and shareholders. The industry-developed Framework provides a roadmap to accomplish this security effectively. But at the same time, government must be willing to step in to incentivize best practices when private market incentives prove insufficient to achieve an appropriate level of cybersecurity. In addition, there are other government mechanisms we can use to further encourage Framework use. Specifically, we will focus our efforts on the following policy areas:
In May, we published reports from non-independent agencies with authority to regulate critical infrastructure that assessed the sufficiency of existing regulatory authority to establish requirements based on the Cybersecurity Framework to address current and projected cyber risks. We concluded that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risk to critical systems and information. For example, the EPA determined that its current requirements are sufficient, and that a voluntary partnership approach will be used to manage cybersecurity risks in the Water and Wastewater Sector. Now we are beginning a process to identify federal regulations that are excessively burdensome, conflicting, or ineffective. We will do this in consultation with our critical infrastructure partners and will provide a report no later than February 2016.
Over the past two years, DHS has engaged with academia and the critical infrastructure community to identify key priorities for research and development over the next three to five years. Once again, we have listened to the private sector about what they need, and we will publish a report on these findings this spring. Additionally, I continue to challenge the research and development community to “kill the password.” The National Strategy for Trusted Identities in Cyberspace (NSTIC) is focused on creating an environment that enables more privacy, security, and convenience online through secure and easy-to-use credentials – instead of passwords. In the time since the President signed NSTIC, the market has responded. Many private firms have started offering multi-factor authentication (MFA) to their customers, ensuring that the most commonly executed, password-centric attacks are no longer viable. And, through more than a dozen NSTIC pilots funded by the Department of Commerce, the private sector has demonstrated material progress in advancing identity solutions.
Every year, the federal government makes significant investments in information and communications technologies. We need to ensure that the products we are buying are secure and aligned to our cybersecurity goals. Last year, the Department of Defense and the General Services Administration jointly recommended a path forward to align federal cybersecurity risk management and acquisition processes. In collaboration with stakeholders from federal agencies and industry, DOD and GSA identified six recommendations, including instituting a federal acquisition cyber risk management strategy and increasing government accountability for cyber risk management.
We will also support agency efforts to incorporate other recommendations such as grants, process preference, and cost recovery for price- regulated industries. FEMA has incorporated the Cybersecurity Framework within its Homeland Security Grant Program guidance to raise awareness of the Framework within the grant recipient community and encourage the incorporation of the Framework’s risk management principles within relevant grant-funded initiatives. DHS is also working with the federal grant community to identify other relevant grant programs that could similarly incorporate the Framework into grant guidance. In order to encourage cost recovery, the Department of Energy is engaging with state and local regulators and state energy policymakers to support prudent cybersecurity policies, programs, and investments in the electric, natural gas, telecommunication, and water sectors.
Finally, we do not intend to pursue public recognition as a government incentive, based on feedback from the critical infrastructure community. Developing a government program to award a “seal of approval” would likely reduce the flexible use of the Framework.
Ultimately, we believe our private-sector partners use the Framework because it is based on industry best practices and results in stronger risk management – not because the government is making them do it. We understand that every critical infrastructure owner and operator, whether public or private, has to make resource decisions based on a variety of risks, and we want to use all of the policy levers available to the government to strengthen the case for use of the Framework.
Michael Daniel is Special Assistant to the President and Cybersecurity Coordinator.