CSRIC Approves Cybersecurity Risk Management Report on Adapting NIST Framework for Communications Sector Use
The Communications Security, Reliability and Interoperability Council (CSRIC) unanimously voted Wednesday to approve Working Group 4’s report on recommendations on communications sector cybersecurity risk management, which was meant to adapt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Working Group 4 released its report almost a year after CSRIC formed the working group as part of FCC Chairman Tom Wheeler’s push for the agency to increase its focus on cybersecurity as a public safety issue (see report in the March 21, 2014, issue). Wheeler said Wednesday, at what he called CSRIC IV’s “graduation ceremony,” that Working Group 4’s report would be “crucial to where we as an agency and we as industries and government have got to go” on addressing cybersecurity risk management. Wheeler continued to emphasize what he sees as the importance of the private sector leading on cybersecurity but noted that the FCC will continue to coordinate and play an oversight role. CSRIC also adopted Working Group 3’s report on expanded security best practices for Emergency Alert System stakeholders and Working Group 7’s report on updates to the prioritization of earlier CSRIC best practices.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
CSRIC Working Group 4’s report included nine recommendations to the FCC on how it can encourage industry use of the NIST framework and other cybersecurity best practices, including promoting sustained cyberthreat information sharing by working to identify industry-specific barriers to sharing. The FCC should also encourage wider dissemination of the NIST framework and the CSRIC report within the communications sector and should help coordinate NIST framework-related federal and state initiatives, CSRIC said. The FCC should leverage resources at the President’s National Security Telecommunications Advisory Committee, the Communications Sector Coordinating Council and the Communications Infrastructure Information Sharing and Analysis Center to promote cyber-risk management activities, CSRIC said. The FCC should harmonize past CSRIC best practices related to cybersecurity with the new CSRIC report and NIST framework, and should further explore ways to accommodate the needs of small- and medium-sized businesses in the communications sector to use the NIST framework, CSRIC said. The FCC also should adopt the availability of critical communications infrastructure as a “meaningful indicator” of cyber-risk management, CSRIC said.
The private sector voluntarily committed via the CSRIC report to promote the use of FCC-initiated confidential meetings with individual sector companies to discuss their use of the NIST framework and share information about cyberthreats or attacks they’ve faced. Those meetings, which would also include the Department of Homeland Security as the sector’s sector-specific agency, would entitle participating companies to federal protections under DHS’ Protected Critical Infrastructure Information Program or a “legally sustainable equivalent,” CSRIC said.
The private sector said it would expand the CSCC’s Sector Annual Reports to DHS’ Critical Infrastructure Partnership Advisory Council to include information on the cybersecurity of critical communications network infrastructure, beginning this year. The CSCC’s sector reports go to both DHS and the CSCC, to which the FCC belongs. The sector also said it would encourage active participation in DHS’ Critical Infrastructure Cyber Community program, which is meant to encourage use of the NIST framework, via webinars and other reference materials based on the CSRIC report and other sources.
Working Group 4’s report also provided industry-specific guidance for using the NIST framework, with individual reports focusing on how that framework could be used in the broadcasting, cable, satellite, wireless and wireline industries. The report encouraged all industries to review the CSRIC report and use it to adapt the NIST framework to company-specific use, distribute the documents to executives and other personnel, ensure operators at all levels of the TCP/IP model operate with cyber diligence and consider adopting an enhanced threat intelligence handling model. The report also encouraged many companies in the communications sector to create a dedicated governance structure within their companies to provide a more holistic cybersecurity approach.
FCC Public Safety Bureau Chief David Simpson praised the report after CSRIC voted to approve it, saying it was a “win-win” for the FCC and the communications sector. The report is a “huge step forward” for establishing Wheeler’s vision of a new paradigm on cybersecurity and presents the FCC with a “fantastic foundation” for the sector to continue improving its cyber-risk management, Simpson said. The FCC will now review the entire 415-page report and plans to seek comment on the report’s recommendations and guidance, he said.
State utility regulators who serve in CSRIC also praised the report, with Iowa Utilities Board Member Sheila Tipton saying she would encourage NARUC to disseminate the report to state utility regulators so it can be applied at the local level. Pennsylvania Public Utility Commissioner Pam Witmer said she agreed with Tipton and pledged to “get this out as broadly as we can.”
CTIA Vice President-Cybersecurity John Marinho said in a statement that the CSRIC report “offers the most comprehensive application and analysis of the NIST Cybersecurity Framework that establishes a new paradigm to protect the nation's critical infrastructure.” TIA said the report “is a very important move towards improving cybersecurity for communications infrastructure. Importantly, it uses a voluntary, public-private partnership model to combat the complex cybersecurity threats our country faces in a dynamic and scalable way.” Marinho and TIA Director-Government Affairs Brian Scarpelli both served on Working Group 4.
Former Public Safety Bureau chief Jamie Barnett, now a cybersecurity lawyer at Venable, said the report “is a major accomplishment and a great example of a government-initiated, industry-led collaboration to improve cybersecurity practices and apply the NIST Cybersecurity Framework to Internet service providers (ISPs) and communications companies. The exchange of information in the company meetings with the FCC will be important, something that will help industry and at the same time should be taken very seriously by ISPs, communications companies and edge providers.”