What NIST Is Hearing from Industry About Critical Infrastructure Cybersecurity
There are certain things in life. Death, Taxes, and Waiting: Updates to NIST Cybersecurity Documents. The National Institute of Standards and Technology is currently evaluating comments for revision of the guidance on cybersecurity of critical infrastructure. See below for a summary of his over 100 comments received by NIST. Tom Temin and Federal Drive We spoke to Megan Brown, an attorney and partner of Wile Lane.
Tom Taemin And in short, why is Wile Lane paying attention to all these comments? Cybersecurity practices are in its DNA.
Megan Brown yes. We have many clients, including government contractors and technology companies involved in critical infrastructure. And we’ve been involved with the NIST Cyber ​​Framework since its inception over a decade ago when President Obama issued an executive order. So we are very interested in how this develops.
Tom Taemin And most of the commenters have links to commenters, a few individuals, but mostly of the corporate type. What are your thoughts on the content of this guidance update?
Megan Brown So they did their last update a few years ago and feel that it is a very important document that has been successfully accepted by the private sector. NIST has won numerous awards for collaboration and building things that people actually use. It’s amazing that it’s starting to be used overseas as well. But it’s been a few years, and the cyber threat landscape has changed, and there’s also a sense that companies have a slightly more mature sense of what to do. And, frankly, they are adding some additional elements to his NIST cyber framework to expand its scope.
Tom Taemin yes. And many industrial control systems, which are subsets of critical infrastructure, have evolved significantly in recent years, perhaps from legacy programming using ancient operating systems, to the new Internet IP-based types of services available. is imagining throughout the software world. And that could have changed the situation and made them more vulnerable.
Megan Brown Well, I think what the government is working on is the fusion of operational technology and information technology. Many comments and other work streams indicate that there is still a large amount of installed OT that people are concerned about, but I would say it is under control. But the question that this and many others from NIST seek to address is how to address the so-called convergence of OT and IT.
Tom Taemin And since this is generally accepted as it already was, the comments seemed to support NIST’s work.
Megan Brown in a way. As we’ve seen, I think NIST is taking the same step-by-step approach as before. They have done many workshops. They just released a discussion draft or concept paper and will put it out for public comment later this month. They want to get feedback before moving on to the next draft. Some of the comments support some of these movements, but there is a certain amount of caution in comments that prompt major changes to the structure of the document or the addition of entirely new concepts. And I’m happy to explain some of those friction points in the comments. But in general I think you are correct. I think people are excited about the update. Let’s not break anything during the update.
Tom Taemin of course. What are the friction points? Highlights only.
Megan Brown Therefore, I think that many people are concerned about the addition of new functions. As for how the framework is structured in this document, he has five features that make up the core of this approach. And that approach is a process-based approach, to which NIST wants to add governance capabilities. So there’s some friction in commenting with some industries that they don’t need all-new features. It may overlap with other existing functionality. Or someone else might say that if you add governance features around organizational control and accountability, be very flexible. Because the different types of companies and organizations that use this document will approach things like governance in very different ways. I believe NIST is listening to that feedback as well.
Tom Taemin Yes, because, as you say, there are associations that are reacting. But if you look at some of the commenters, they range from Capital One to American Airlines. XL Energy, and companies like that, cyber companies in many cases, are so close to fulfilling their mission that in fact they probably already have that kind of governance, and they probably need something extra. I don’t feel
Megan Brown Now, I see an additional problem. I think you’re right and I agree with that. A further challenge, however, highlighted in some comments is that, for example, the Securities and Exchange Commission has proposed rules for public companies that affect, or are intended to affect, corporate governance and accountability. was to have So there is a bit of concern that there is still a lot going on in terms of policy, and it’s hard to be too specific about what governance will look like, especially considering other bodies like the TSA. It may be a little premature. There are other agencies involved in the cyber field. So I think people get a little worried when you mix everything up like this.
Tom Taemin I’m talking to Megan Brown. She is a partner at law firm Wiley Lane. And is some of that imprudence in the larger context of more and more regulation coming from the Biden administration everywhere you look, mainly on the acquisition front and federal procurement front?
Megan Brown I think I have a little of it now. From my client’s perspective as well as mine, the NIST Cyber ​​Framework has always been a very self-directed and flexible approach. So compared to some of these new regulatory structures, I think people want to keep it and some of them are trying to build a framework. And it may help to some extent. However, there is an underlying concern that some regulators will take his NIST Cyber ​​Framework and translate it into regulatory baselines, whether it really hits the mark. I think there are concerns about that as well.
Tom Taemin So what do you advise your clients to do in response to this? I mean, comments are still open, right?
Megan Brown yes. Yes, we are still accepting comments. So my advice, whether you’re a government contractor, tech company, or critical infrastructure, look at what they’re proposing and if this becomes some sort of obligation , or ask yourself what you would do with this if a regulator came along and said. ? How would you answer? Another thing we advise you to do is that DHS and other agencies are still moving very quickly in other areas. There are cybersecurity performance goals issued by the Department of Homeland Security under an executive order, and we have received comments encouraging us to harmonize as much as possible what we are doing within this cybersecurity framework. And that’s another place I tell people to pay attention to what DHS is doing against these performance goals. This is because these performance targets can also ultimately be used or abused as a basis for regulation and oversight.
Tom Taemin right. The more these efforts spread throughout government, the more disjointed they can be.
Megan Brown It’s really a challenge. The TSA, the Transportation Security Administration, has issued a very prescriptive security directive. They are starting to make rules. And the only real problem for some companies that are subject to multiple of these institutions and frameworks is the enormous burden of analyzing them, resolving contradictions, and making it all work together.
Tom Taemin As an aside, let’s take a look at the beautiful and really open way NIST organizes comments for anyone to read. So this is a really nice web presentation. So you have a list of links, all easy to retype and easy to find. Not all regulators do that, right? Comments of this kind are acceptable for any initiative.
Megan Brown I mean, they are. Just as the TSA issued prior notice of proposed rulemaking, you can search for those comments through federalregulations.gov, so I’m sure you’ll find them. But I think that’s a valid opinion, Tom. These may not be as sophisticated or accessible as those produced by NIST. right? Some government documents can be a little difficult to track down and find what’s buried inside.
Summarize this content to 100 words There are certain things in life. Death, Taxes, and Waiting: Updates to NIST Cybersecurity Documents. The National Institute of Standards and Technology is currently evaluating comments for revision of the guidance on cybersecurity of critical infrastructure. See below for a summary of his over 100 comments received by NIST. Tom Temin and Federal Drive We spoke to Megan Brown, an attorney and partner of Wile Lane.Tom Taemin And in short, why is Wile Lane paying attention to all these comments? Cybersecurity practices are in its DNA. Megan Brown yes. We have many clients, including government contractors and technology companies involved in critical infrastructure. And we’ve been involved with the NIST Cyber ​​Framework since its inception over a decade ago when President Obama issued an executive order. So we are very interested in how this develops. Tom Taemin And most of the commenters have links to commenters, a few individuals, but mostly of the corporate type. What are your thoughts on the content of this guidance update? Megan Brown So they did their last update a few years ago and feel that it is a very important document that has been successfully accepted by the private sector. NIST has won numerous awards for collaboration and building things that people actually use. It’s amazing that it’s starting to be used overseas as well. But it’s been a few years, and the cyber threat landscape has changed, and there’s also a sense that companies have a slightly more mature sense of what to do. And, frankly, they are adding some additional elements to his NIST cyber framework to expand its scope. Tom Taemin yes. And many industrial control systems, which are subsets of critical infrastructure, have evolved significantly in recent years, perhaps from legacy programming using ancient operating systems, to the new Internet IP-based types of services available. is imagining throughout the software world. And that could have changed the situation and made them more vulnerable. Megan Brown Well, I think what the government is working on is the fusion of operational technology and information technology. Many comments and other work streams indicate that there is still a large amount of installed OT that people are concerned about, but I would say it is under control. But the question that this and many others from NIST seek to address is how to address the so-called convergence of OT and IT. Tom Taemin And since this is generally accepted as it already was, the comments seemed to support NIST’s work. Megan Brown in a way. As we’ve seen, I think NIST is taking the same step-by-step approach as before. They have done many workshops. They just released a discussion draft or concept paper and will put it out for public comment later this month. They want to get feedback before moving on to the next draft. Some of the comments support some of these movements, but there is a certain amount of caution in comments that prompt major changes to the structure of the document or the addition of entirely new concepts. And I’m happy to explain some of those friction points in the comments. But in general I think you are correct. I think people are excited about the update. Let’s not break anything during the update. Tom Taemin of course. What are the friction points? Highlights only. Megan Brown Therefore, I think that many people are concerned about the addition of new functions. As for how the framework is structured in this document, he has five features that make up the core of this approach. And that approach is a process-based approach, to which NIST wants to add governance capabilities. So there’s some friction in commenting with some industries that they don’t need all-new features. It may overlap with other existing functionality. Or someone else might say that if you add governance features around organizational control and accountability, be very flexible. Because the different types of companies and organizations that use this document will approach things like governance in very different ways. I believe NIST is listening to that feedback as well. Tom Taemin Yes, because, as you say, there are associations that are reacting. But if you look at some of the commenters, they range from Capital One to American Airlines. XL Energy, and companies like that, cyber companies in many cases, are so close to fulfilling their mission that in fact they probably already have that kind of governance, and they probably need something extra. I don’t feel Megan Brown Now, I see an additional problem. I think you’re right and I agree with that. A further challenge, however, highlighted in some comments is that, for example, the Securities and Exchange Commission has proposed rules for public companies that affect, or are intended to affect, corporate governance and accountability. was to have So there is a bit of concern that there is still a lot going on in terms of policy, and it’s hard to be too specific about what governance will look like, especially considering other bodies like the TSA. It may be a little premature. There are other agencies involved in the cyber field. So I think people get a little worried when you mix everything up like this. Tom Taemin I’m talking to Megan Brown. She is a partner at law firm Wiley Lane. And is some of that imprudence in the larger context of more and more regulation coming from the Biden administration everywhere you look, mainly on the acquisition front and federal procurement front? Megan Brown I think I have a little of it now. From my client’s perspective as well as mine, the NIST Cyber ​​Framework has always been a very self-directed and flexible approach. So compared to some of these new regulatory structures, I think people want to keep it and some of them are trying to build a framework. And it may help to some extent. However, there is an underlying concern that some regulators will take his NIST Cyber ​​Framework and translate it into regulatory baselines, whether it really hits the mark. I think there are concerns about that as well. Tom Taemin So what do you advise your clients to do in response to this? I mean, comments are still open, right? Megan Brown yes. Yes, we are still accepting comments. So my advice, whether you’re a government contractor, tech company, or critical infrastructure, look at what they’re proposing and if this becomes some sort of obligation , or ask yourself what you would do with this if a regulator came along and said. ? How would you answer? Another thing we advise you to do is that DHS and other agencies are still moving very quickly in other areas. There are cybersecurity performance goals issued by the Department of Homeland Security under an executive order, and we have received comments encouraging us to harmonize as much as possible what we are doing within this cybersecurity framework. And that’s another place I tell people to pay attention to what DHS is doing against these performance goals. This is because these performance targets can also ultimately be used or abused as a basis for regulation and oversight. Tom Taemin right. The more these efforts spread throughout government, the more disjointed they can be. Megan Brown It’s really a challenge. The TSA, the Transportation Security Administration, has issued a very prescriptive security directive. They are starting to make rules. And the only real problem for some companies that are subject to multiple of these institutions and frameworks is the enormous burden of analyzing them, resolving contradictions, and making it all work together. Tom Taemin As an aside, let’s take a look at the beautiful and really open way NIST organizes comments for anyone to read. So this is a really nice web presentation. So you have a list of links, all easy to retype and easy to find. Not all regulators do that, right? Comments of this kind are acceptable for any initiative. Megan Brown I mean, they are. Just as the TSA issued prior notice of proposed rulemaking, you can search for those comments through federalregulations.gov, so I’m sure you’ll find them. But I think that’s a valid opinion, Tom. These may not be as sophisticated or accessible as those produced by NIST. right? Some government documents can be a little difficult to track down…
https://federalnewsnetwork.com/cybersecurity/2023/05/what-nist-is-hearing-from-industry-about-critical-infrastructure-cybersecurity/ What NIST Is Hearing from Industry About Critical Infrastructure Cybersecurity