I enjoy keeping up with the latest news. At LRS Education Services, we take our own advice and use the principles we share in our NIST Cybersecurity Framework training courses as part of our own cybersecurity methodology. One of those principles is the Implementation Tiers of the NIST Cybersecurity Framework.
If you’ll indulge my need to be a trainer briefly, the Implementation Tiers focus on Risk Management. Three components make up the Tiers: Risk Management Strategy, Integrated Risk Management Program, and External Participation.
Now, to prevent this from turning into a full-fledged training session, let’s narrow the focus to just External Participation. External Participation includes, “the degree to which the organization benefits from sharing or receiving information from outside parties.”
Enter The White House
Maybe you caught this, but maybe you didn’t. Don’t worry, I’ve got your back. As part of our regular “receiving information from outside parties,” we received an article from Dark Reading about the National Cybersecurity Strategy released March 2, 2023 from The White House. There are several important sections in the new Strategy. But for the purposes of this post, let me give you two quotes from Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety. Here is the first:
“The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them.”
This means The White House has determined that voluntary use of the NIST Cybersecurity Framework and other guidance has not been sufficient to secure the critical infrastructure. Whether you like the idea of regulation in this area or not, the clear truth is that The White House is not wrong here. Spend a few minutes searching the Internet and you’ll find many cyber attacks against our critical infrastructure. We talk about some in our NIST Cybersecurity Framework training courses, including the 2021 Colonial Pipeline Ransomware attack.
Based on the above quote, we may soon be looking at laws requiring alignment with the NIST Cybersecurity Framework for private sector and state government entities. And now the second quote:
“Regulations should be performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance—including the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity…In setting cybersecurity regulations for critical infrastructure, regulators are encouraged to drive the adoption of secure-by-design principles, prioritize the availability of essential services, and ensure that systems are designed to fail safely and recover quickly. Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements.”
In this quote, we are seeing something every organization wants. Security by design, prioritization of critical services, failing safely, and getting everything back up quickly. And then we see “minimum expected cybersecurity practices or outcomes.”
What This Means for Your Organization
Here’s the situation. This is a proposed strategy with no regulatory support…yet. But the handwriting is on the wall. None of us will be surprised now if some form of minimum cybersecurity requirements for critical infrastructure are created and put into law in the next couple of years. Which leaves us with two options.
- We can ignore this possibility and keep doing what we’re doing. If you’re already using the guidance as we teach it in our NIST Cybersecurity Framework training courses, you are on the right track. But maybe you’re using your own cybersecurity strategy based on a different set of principles and outcomes. In that case, if a law requiring usage of the NIST CSF does show up, you’re going to have to make some changes.
- We can decide to take action BEFORE we are forced to do so by government regulation.
Let me say something here. I wish all our organizations had already allocated the resources to reach the most secure possible state. But the reality is, for various reasons, that’s not the case. None of us are perfect, and all of us have competing priorities. Whether you think the government is doing something good with moving in this direction or you oppose it does not matter. It’s happening.
Friends, we should already be striving to be more secure for the sake of our organization’s continued business success, whether we are for-profit or public sector. We have a responsibility to those who depend on our products and services.
I have to say, it’s not often we get a very clear picture of the future. I think we’re seeing one right now.
How We Can Help
I’ll just share a few thoughts and then be done! At LRS Education Services we’ve been offering NIST Cybersecurity Framework training courses for several years.
We run them every single month. I’m not going to give you a hard sell to sign up for the courses. I think they’re incredibly valuable, but I’m admittedly biased. Here’s all I’m asking you to do. Consider this new White House cybersecurity strategy and ask yourself, “If this were the law of the land today, would we be ok?” If not, then perhaps it’s time to consider making the changes necessary to be in alignment when it does come to pass.
Have a great day!
Troy Stoneking
Certified NIST Cybersecurity Framework Professional Trainer and Cybersecurity Assessor