Comm Sector Use of NIST Cybersecurity Framework Seen Critical to FCC Work on Voluntary Best Practices
Industry participation remains critical to the success of the National Institute of Standards and Technology-facilitated (NIST) Cybersecurity Framework, federal officials said Friday during a USTelecom event. The federal government’s focus in the three months since NIST’s February release of the “Version 1.0” framework has shifted toward encouraging critical infrastructure entities to use the framework and tailoring the framework to sector-specific uses, officials said. The FCC is in the process of determining what role it can play in the communications sector’s voluntary use of the framework as a risk management tool, said Public Safety Bureau Chief Counsel Clete Johnson. USTelecom Vice President-Industry and State Affairs Robert Mayer told us he believes the commission will and should continue to allow the private sector to drive the process of determining the FCC’s role in that process.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The FCC does not intend to use the NIST framework as a blueprint for mandatory standards, Johnson said. FCC Chairman Tom Wheeler had said in March during a speech to the commission’s Communications Security, Reliability & Interoperability Council (CSRIC) that he wanted the then-new CSRIC Working Group 4, which is evaluating cybersecurity best practices, to develop a new “regulatory paradigm” (CD March 21 p3). The FCC Technological Advisory Council is also aiding the commission in determining its cybersecurity role. Wheeler meant that the private sector must take the lead on cybersecurity best practices within the communications sector because a “traditional regulatory approach” won’t be able to keep pace with technological development, Johnson said. That paradigm needs to be “something more dynamic than compliance but more demonstrably effective” in assuring that 911 and other key communications components will be resilient and reliable, he said. CSRIC is still in the early stages of evaluating those best practices, but it is clear that using the NIST framework will need to be “an issue of proactive risk management, not reactive compliance with requirements,” Johnson said.
The FCC has “allowed us to shape the effort in a way that industry is currently comfortable with,” said USTelecom’s Mayer, co-chair of CSRIC Working Group 4. “The focus is on risk management processes as opposed to the development of technical standards,” though the risk management framework that CSRIC develops is likely to include references to existing cybersecurity standards and best practices, just as the NIST framework did, Mayer said. As the working group moves forward, it will be working across sectors and agencies, meaning the FCC’s own role will change over time, he said. “Where that ends up, it’s too soon to conclude,” Mayer said. “But there’s a higher degree of interagency coordination around cybersecurity and I would expect that to continue."
CSRIC Working Group 4 will create the risk management framework by evaluating previous CSRIC cybersecurity work and combining it with elements from the NIST framework, he said. That effort will include evaluating the communications sector’s shared responsibilities and dependencies, examining major threats to sector networks, determining how small and medium-sized businesses will be affected by implementation and examining barriers to implementing the NIST framework, Mayer said. The risk management framework will also detail examples of companies’ use of NIST framework components, he said.
The communications sector was one of the drivers of the NIST framework’s development and has been an early adopter of the framework, so the FCC agrees with the Department of Homeland Security that the primary incentive for framework use is that “if it’s good for management, it will be adopted,” Johnson said. DHS is continuing to work with the White House to evaluate possible incentives, but believes that it “is going to be adopted if industry finds it useful,” said DHS Assistant Secretary Andy Ozment, head of the National Protection and Programs Directorate’s (NPPD) Office of Cybersecurity and Communications. Ozment had previously been the White House’s senior cybersecurity director before joining DHS in early April (CD March 14 p15). “If we haven’t succeeded in making a product that’s useful, then we just haven’t succeeded,” he said. “Fortunately, I don’t think that’s the case.”
The White House has been able to make “tangible progress” on evaluating some possible incentives for use of the framework, particularly the use of technical assistance and grants, said Samara Moore, White House National Security Staff director-cybersecurity critical infrastructure protection. The White House has also noticed developments on incentives outside the eight incentive areas it had originally targeted, including loans and academia’s alignment of cybersecurity curriculum with the NIST framework, she said. DHS has also continued a yearslong effort to evaluate growth of the cybersecurity insurance market as an incentive, said Tom Finan, senior cybersecurity strategist and counsel for NPPD. The NIST framework provides a common vocabulary for cyber-risk management, meaning it will be a “very powerful tool” during the insurance underwriting process, he said.