NIST: Cybersecurity executive order calls for harmonization
Language in President Obama's February cybersecurity executive order calling for federal agencies with regulatory power over the security of critical infrastructure to review a preliminary version of the framework and to make a determination on whether "current cybersecurity regulatory requirements are sufficient given current and projected risks" calls for a process of harmonization rather than emergence of a new regulatory model, said a National Institute of Standards and Technology official.
Speaking during a May 31 workshop, the second in a series NIST is putting on as it solicits comments on the framework during its development, Senior Information Technology Policy Advisor Adam Sedgewick said that "a lot of the work under the executive order is asking the regulators to ensure that there is a level of consistency," particularly if the framework is to be based on existing practices. The workshop was held at Carnegie Mellon University in Pittsburgh, Pa.
Section 10 of the executive order states that if regulatory agencies don't make a finding that current regulatory requirements are sufficient, then they should propose new regulations for the mitigation of cyber risk. That language has had "a chilling effect" on the private sector, said Larry Clinton, head of trade association the Internet Security Alliance, who said the executive order will result in an upward ratcheting of regulatory power.
"I would disagree with that assessment of that section of the executive order," Sedgewick said.
NIST workshop panelists said the framework will take into account cost-effectiveness. "We don't want a security solution that is over-onerous to the financial situation, that is overkill to the balanced universe of threat environment and that does not map to a business need," said Matt Scholl, deputy chief of the computer security division. Initial public comments about the framework have emphasized that it "can't just be compliance for the sake of compliance--it can't just be a checklist, it really has to be useful for risk management and security," Scholl said.
Public says critical infrastructure cybersecurity framework should be risk-based, says NIST
McConnell: Cybersecurity framework will reduce risk, but not 'fix the problem'
Cybersecurity framework will include controls and metrics