Which cyber regs/guidelines/frameworks should you pay attention to? [Commentary]

ThinkstockPhotos-533520355.jpg

How to best protect our nation’s infrastructure from the ever-growing variety of cyber threats has become a main discussion point among government decision makers. New or revised cybersecurity regulation, frameworks, executive orders and/or guidance surface regularly to assist the public sector in bolstering their cybersecurity programs.

While some organizations may struggle to separate the overlap, and understand which guidance/framework/regulation to follow first, it’s important these documents are dynamic. If they were point-in-time checklists that organizations went through solely with the goal of being compliant, they wouldn’t be effective. The cybersecurity landscape is continuously evolving and therefore organizations’ cyber security programs must do the same.

So, among the sea of guidance/framework/regulation, which ones should government organizations focus on? Here’s a short list:

The National Institute of Standards and Technology (NIST) revised Framework for Improving Critical Infrastructure Cybersecurity

On April 10, the comment period closed for the National Institute of Standards and Technology (NIST) revised Framework for Improving Critical Infrastructure Cybersecurity (a.k.a. NIST Cybersecurity Framework).

The framework was initially published in February 2014 as the result of a presidential executive order. Its main objective is to provide public and private sector organizations with “a set of industry standards and best practices to help organizations manage cybersecurity risks.”

The revised version of the framework includes several key updates, the main one being around measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business/mission objectives and outcomes. That means measuring both how well organizations are reducing risk to the mission and identifying the benefits to the agency of good cybersecurity hygiene.

The NIST Cybersecurity Framework is a rich resource for best practices. Organizations should use it when building the foundation to their cyber risk management programs and layer on additional guidance from that point.

The updated version of the NIST Cybersecurity Framework is expected to be released in the Fall 2017.

Continuous Diagnostics & Mitigation (CDM)

CDM programs focus on identifying cybersecurity risks on an ongoing basis, prioritizing risks based upon potential impacts and enabling cybersecurity personnel to mitigate the most significant problems first.

Using up to $6 billion in funding from the Department of Homeland Security, every federal agency is implementing CDM. The first two phases focus on developing a baseline of cyber capabilities. The third phase, which is currently being designed, focuses on managing risk, responding to events, generic monitoring, adhering to requirements, implementing strong policies, quality management, and boundary protection. Agencies either request specific tools from the CDM program or tools are recommended to them by CDM specific system integrators.

Adoption of CDM programs would collectively increase the government’s ability to minimize the impact of cyber incidence on the agencies primary mission. They enable organizations to adopt a risk based approach to cybersecurity, which means identifying their most valued assets, the ones that if compromised would cause the most damage to the mission, and continuously mitigating threats and vulnerabilities that specifically put those assets at risk.

Government organizations already have limited resources and budget. CDM programs help make the most out of those limited resources because they make available multiple tools and processes that spotlight what to act on today that will minimize mission impact the most.

Cybersecurity Executive Order: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

In February 2017, the Trump administration released a draft Cybersecurity Executive Order which contains important measures that organizations should pay attention to. For example, the order outlines responsibilities, deliverables and timelines for agencies. It holds the leaders of agencies accountable for managing cyber risk, making cybersecurity a top-level issue. It requires all agencies adopt the NIST Cybersecurity Framework and references key ideas within the Framework throughout. The order also calls on agencies to show preference towards the utilization of “shared IT services” when appropriate and to review the cost and feasibility of moving to one or more consolidated network architectures.

You may recall in December 2016 when hackers attacked the systems of power distribution companies in the Ukraine, cutting power to more than 80,000 people. President Trump’s Executive Order calls for the review of potential cyber-attacks on the United States electric subsector by the Secretary of Homeland Security, in coordination with the Secretary of Energy and in consultation with state, local, tribal and territorial governments. It also mandates the Secretary of Defense, NSA, FBI, and DHS conduct a similar review of the U.S. defense industrial base. Those kinds of reviews are a good start to preventing destructive attacks against some of our most important infrastructure.

A measure that was in the draft order at one point and should still be included was about educating our youth on cybersecurity. That kind of measure would tremendously help reduce the current cybersecurity skills shortage. According to analyst firm Enterprise Strategy Group, 46 percent of organizations claimed that they had a problematic shortage of cybersecurity skills in 2016.

There are more dated guidance and frameworks that should not be forgotten (i.e. the Center for Internet Security’s 20 Critical Controls and FISMA). However, the NIST Cybersecurity Framework, CDM and recent draft Executive Order are the three most recent ones to drive change around how we manage cybersecurity within the public sector. They have the potential to help organizations most effectively protect the assets that are vital to their mission.

The key is for organizations to create a unified strategy that includes visibility, accountability and decreases the attack surface. They must move away from the audit, check-the-box mentality of the past and shift to a risk based approach which entails continuously measuring, monitoring and prioritizing actions so that the most imminent threats to and vulnerabilities within the most valuable assets are tackled first. This recent set of regulation/guidelines/frameworks follows that path, and could save many organizations from a damaging breach.