By: Robert G. Scott, Jr. Cybersecurity initiatives are moving rapidly within the federal government and require owners and operators of critical infrastructure – including in particular Communication and Energy Systems, and those who supply and service them – to remain vigilant in managing cybersecurity risks. The National Institute of Standards and Technologies (NIST) is moving quickly to develop the Cybersecurity Framework required by President Obama’s Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21), as detailed in our earlier posts here and here. At the same time, Congress continues to develop cybersecurity legislation to address concerns over the current state of cybersecurity and cyber-threat information-sharing in various sectors of the economy. Chief among these sectors are energy and communications, which are deemed “uniquely critical” in PPD-21 given their role in supporting all other critical infrastructure. NIST has devoted substantial effort working toward the February 12, 2014 deadline for a final Cybersecurity Framework established by EO-13636. To date, NIST has held two sets of workshops on the Cybersecurity Framework (one of which we discussed here), and released a working analysis of comments received by stakeholders across various sectors, including owners of infrastructure at risk of cyber-threats – such as communications networks, and energy producers and distributors. Common themes in the comments call for:
- a flexible, non-prescriptive framework;
- a framework that reflects a detailed assessment of any particular risk to cybersecurity;
- the use of existing standards and partnerships as much as is feasible;
- the application of the framework to the entire supply chain of any given sector;
- the incorporation of protection for individual privacy and civil liberties; and
- incentives for private actors such as tax incentives and safe harbors for implementing the framework.