As a mid-September deadline looms, pressure mounts on a team of IT security experts to fill in the gaps on the cybersecurity framework, a series of IT security best practices that the operators of nation's critical infrastructure could adopt voluntarily.
The draft of the framework, being jointly developed by industry and government experts under the auspices of the National Institute of Standards and Technology, will be presented at a workshop on Sept. 11 to 13 at the University of Texas at Dallas. The final version of the framework will be issued in February.
NIST's Adam Sedgewick, who leads the efforts to create the framework ordered by President Obama, says the gaps include civil liberties and privacy standards and practices and helpful cybersecurity metrics.
"There are some unique privacy needs that we'll identify through this process," Sedgewick says in an interview with Information Security Media Group [transcript below].
"We want to have really a robust conversation around those things as we're building this out going forward," he says.
Determining metrics to measure the effectiveness of the framework is another top challenge. "That's a topic that we've taken to the workshops and we'll continue to do," Sedgewick says.
One approach being evaluated is to allow for metrics to be flexible, which is a concept mentioned in the executive order.
In early July, NIST issued a proposed outline of the framework, which was vetted by industry and government participants at a cybersecurity framework workshop held July 10-12 in San Diego [see NIST Unveils Draft of Cybersecurity Framework].
In the interview, Sedgewick:
- Summarizes the main themes of the draft outline of the cybersecurity framework;
- Identifies gaps in the framework - privacy and civil liberties standards and practices and helpful cybersecurity metrics - that must be filled by the time its released next February;
- Explains the ways the private sector is involved in drafting the framework.
As senior IT policy adviser, Sedgewick represents NIST on the Department of Commerce Internet Policy Task Force and advises NIST leaders on cybersecurity. Previously, Sedgewick served as senior adviser to the Federal Chief Information Officer Council, coordinating cross-agency initiatives and assisting in the implementation of Office of Management and Budget policy and directives. For nine years, he served on the staff of the Senate Committee on Homeland Security and Governmental Affairs, handling cybersecurity and federal information technology policy.
Cybersecurity Framework Draft
ERIC CHABROW: Please take a few moments to summarize the main themes of the framework draft.
ADAM SEDGEWICK: We posted what we call the draft outline of the preliminary cybersecurity framework. What we're presenting out is very high level with a lot of gaps identified, and our work going forward is really to start filling in a lot of those gaps with our partners in industry and through the workshops that we're having throughout the country.
The basic approach that we've taken throughout this process is to have this sort of collaborative approach, similar to what NIST has done in a lot of other projects. We ask questions out. We get information in. We do some technical analysis. Then we present it back out to say, "Does this reflect where we are, where the critical infrastructure sectors are, and are we building something that can be used throughout industry?"
Going back to the president's executive order in February, at that point we released a request for information. Then we had some questions in a couple of key different areas. We asked: How do organizations think about cybersecurity risk? What are the standards, guidelines and methodologies they use to support that, the existing standards? Then we ask some tactical questions on particular things that we thought might apply to industries of all sizes and sectors. We put that out to see what we would get. We did some meeting with stakeholders among the sectors, and we got back 245 comments.
Then our process was to take those comments and do some analysis. We presented out high-level analysis of those elements of what we found as some sort of consensus among those diverse responses, which ranged from a few paragraphs on particular topics to robust analysis that went on for tens or, I think in a couple of cases, over a hundred pages on all things that were important to cybersecurity. We presented that analysis out. We said, "This is what seems to be priority. These are a couple of things that we seem to keep on hearing."
We took that to our workshop that we had at the end of May that Carnegie Mellon hosted in Pittsburg. We validated that. We validated our initial set of standards, guidelines and practices. We took that and we did some more analysis.
What we really are presenting you can consider as the frame of the framework. What that presents is kind of a user's guide, a how-to. We presented these five major cybersecurity functions that we think can apply to these diverse organizations, and then we actually presented something that we called the compendium, which is the list of informative references, those existing standards, guidelines and practices that we received. We're preparing to go to San Diego where we will be fleshing out and filling in some of those gap areas that we address in the outline and the material we presented last week.
Privacy and Civil Liberties Standards
CHABROW: Let's talk about some of those gap areas. One that you noticed in the draft outline dealt with establishing privacy and civil liberty standards, guidelines and practices. What's the challenge in establishing those standards, guidelines and practices for privacy and civil liberties?
SEDGEWICK: We have a couple of challenges in that area. We identified that as an area where it's clearly spelled out in the president's executive order. It's clearly very much a priority. It's something that throughout the comments we heard reflected back that organizations felt like it was important for the framework to address. But we have some more work to do to look at those underlying standards and guidelines that can support that.
People know that from our work under FISMA for the federal agencies, we tackled that problem by adding what we called Appendix J to 800-53 ... that shows some of the technical underpinnings of things like privacy. Going into San Diego, we're going to have some targeted sessions on the privacy topic to get that additional information that then we'll present out for validation. Some of the challenges are to make decisions on a security side that are beneficial to privacy.
There are also some unique privacy needs that we'll identify through this process for some of the critical infrastructure sectors as well. Certainly, when NIST did the work under the smart grid, we identified pretty early on that there were additional privacy concerns that needed to be taken into consideration when that framework was being developed. We want to have really a robust conversation around those things as we're building this out going forward.
CHABROW: When you say "present out for validation," what do you mean by that?
SEDGEWICK: Every stage along the way what we're trying to do is have this open and transparent conversation. That's why we're putting so much material on our website. The executive order asks that we present out, have the preliminary framework within 240 days - which puts it right about mid-October - and we'll put that out for a public comment period as well.
CHABROW: The draft outline of the framework does not include what NIST characterizes as helpful metrics for organizations to determine cybersecurity effectiveness. How are the drafters of the framework going to identify those metrics?
SEDGEWICK: Metrics is another tough topic that we're identifying as a gap, and I think people that work in the cybersecurity field know that it's very difficult overall. That's a topic that we've taken to the workshops and we'll continue to do. One thing that we've thought about [with] metrics is also we introduced this topic of what we're calling framework implementation levels, which is really meant to show how organizations can grow when they think about cybersecurity risk and realizing that part of the challenge here is looking at a flexible approach. That's a word that's in the executive order. We think that by introducing this concept out there you might be able to get some of those concepts of metrics, but that's certainly something that we'll be asking throughout this process as well and that we've identified as a gap.
CHABROW: As you mentioned, in a few days NIST will be holding its third workshop on the cybersecurity framework in San Diego. What do you hope to come out of this workshop with?
SEDGEWICK: We hope that we're going to be able to flesh out this outline. Then we want to have a draft of the preliminary framework. We hope that we'll be able to get enough material that we'll be able to flesh out this outline and some of the supporting material, so that when we go to our next workshop in September we'll have a pretty robust draft we can take and address some of the remaining gaps there so that we can leave that workshop in mid-September with something that we can put out for public comment in October. We're hoping to have something really tangible coming out of this workshop.
Top Framework Challenges
CHABROW: Going forward, what do you see as your biggest challenges in getting it done by not only mid-October for the preliminary framework, but also the February deadline?
SEDGEWICK: I think the biggest challenge is making sure that we have the right audience participating and we're getting to those owners and operators. That's one thing that we've really tried to push to make sure they're participating. This overall work will only be effective if industry looks at this as something that they see and is meaningful to their organizations. That's the overall challenge here, particularly when we're dealing with very diverse sectors and diverse organizations. We're hopeful that the material we present out people will look at and it will make sense to them, and it will make sense in terms of how they think about cybersecurity risk management. The biggest challenge that we'll face is doing that outreach and making sure that we have the pieces that make sense to this wide and diverse community.
Critical Infrastructure Owners
CHABROW: Let's talk about the critical infrastructure owners, who will not be required to adopt this cybersecurity framework. What ... have you received from these infrastructure owners, and do you expect most of them to adopt it when it's issued?
SEDGEWICK: We're optimistic that people will look at this and see tools that they use. We've had some really good outreach and we've had some really great participation out of workshops, and we're hoping that will continue. If you really think of the three overall goals that we keep on returning back to, it's identifying those standards, guidelines, practices and frameworks that are out there, elevating the uses that are proven to be effective, and then identifying those gap areas that we need to work together as a community to address.
Because of that, I think this is an ongoing project. I think a lot of those folks that have taken a look at this and see the things that they rely on, it will very quickly help us identify those gaps that we need to work on. We're optimistic in terms of the feedback that we've gotten in and the robust participation that we have at our workshops. We underline work. People come in and they leave exhausted, and I think that will continue throughout this process.