CSRIC Working Group 4 Delivers Draft Report on Sector Use of NIST Cybersecurity Framework
Communications Security, Reliability and Interoperability Council (CSRIC) Working Group 4 delivered its draft final report Friday to the full CSRIC membership on its recommendations for how the communications sector should adapt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework for industry-specific uses. The report’s full contents will remain confidential while CSRIC reviews the report and provides feedback on possible revisions ahead of an expected March 18 vote on whether to adopt the report, Working Group 4 Co-Chair Robert Mayer said in an interview.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
CSRIC launched Working Group 4 last March as part of FCC Chairman Tom Wheeler’s push for a new voluntary “regulatory paradigm” on communications sector cybersecurity (see report in the March 21, 2014, issue). Wheeler said in a speech in June that he wanted the private sector to lead improvements to the communications sector’s cybersecurity risk management practices but promised that the commission would be prepared to use regulatory alternatives if the private sector failed to act (see report in the June 13, 2014, issue).
Working Group 4’s draft report tracks with the FCC’s call for private sector leadership and provides “macro-level assurances” to the commission and the public that the communications sector is using “necessary and appropriate risk management actions to address cybersecurity threats,” Mayer told us. The group’s 330-page overarching report includes individual reports from industry-specific feeder groups for the broadcast, cable, satellite, wireless and wireline industries. “All of the work that we’ve done is aligned and consistent with the principles that are embedded in the NIST framework, but we wanted to make it resonate and be practical for the five industries that we looked at,” Mayer said. The report also includes issue-based reports on other issues, including top cyberthreats, small- and medium-sized businesses, metrics and barriers to implementation of the NIST framework, he said.
The CSRIC report is designed to require additional “significant” industry-led initiatives to update it in the future, Mayer said. The Department of Homeland Security, FCC and NIST are all likely to be included in those future activities, he said. Working Group 4 participants view the report as a “living document” that doesn’t necessarily require revisions as additional enhancements, said Larry Clinton, co-leader of the group’s implementation barriers feeder group and Internet Security Alliance president.
The report highlights that additional work will be needed to appreciate barriers to NIST framework implementation, particularly economics-related barriers and barriers faced by small- and medium-sized businesses, Clinton said. Smaller players are only now being recognized as an “endemic” component of critical infrastructure because of interconnections, he said. There will also need to be further work on identifying appropriate incentives for framework use and cost-effectiveness, Clinton said. There also needs to be further work on identifying metrics, though that will require completion of work on cost-effectiveness, incentives and small business use, he said. Clinton cautioned against revising the group’s work in a way that shifts back toward old-style regulation, though he said he believes that’s not the FCC’s intent. “I think we’ve learned that that approach is simply wrong-headed,” Clinton said.