NIST logo
*

Opening Remarks (As delivered)
Press Briefing, Preliminary Cybersecurity Framework
October 22, 2013
Dr. Patrick Gallagher, Acting Deputy Secretary, U.S. Department of Commerce, Under Secretary for Standards and Technology and Director, National Institute of Standards and Technology


Good afternoon. Thanks for joining us on this call.

I wanted to take just a few minutes this afternoon to give you some perspectives on the new cybersecurity framework that NIST is releasing today for public comment.

As many of you know, this effort started 8 months ago in February 2013 when the President issued an Executive Order that instructed me as the Director of NIST, the National Institute of Standards and Technology to "lead the development of a framework to reduce cyber risks to critical infrastructure."

So from the beginning, the President envisioned this as a voluntary effort that would be based on consensus standards and industry best practices to the extent possible. And from the beginning, we wanted to make sure that this was something that would be flexible and able to be tailored to the needs of individual businesses and organizations.

We knew it was going to be essential that we had early and substantive industry participation in developing the framework.   In fact this had to be a product of industry. The framework is also useless if it's not put into practice. Businesses will only put the framework into use if it helps them align what they have to do. They have to be able to align their policy, business, and technology approaches so that they can better protect their data and IT infrastructure from cyber security risks.

I'm really pleased that as part of this effort more than 3,000 people from industry, academia, and government have participated in this framework development.

Whether it was through attendance at workshops or webinars, providing comments on drafts, by suggesting specific components, or in other ways, this participation was absolutely critical, so we're thankful particularly to the business community for all of their help and involvement.

I'd like to briefly describe what this framework is and what it isn't.

The framework can be thought of as having really two major moving parts.

First, it is a collection of compendium of existing standards and best practices. These are practices that have been proven to be worthwhile in protecting IT systems from cyber threats or to ensure business confidentiality, and protecting individual privacy and civil liberties. And secondly, and this is really important, it provides a structure for using that compendium. So it's a framework for organizing those practices and providing tools to support their use and adoption in businesses and organizations.

Ultimately what we want to do is turn today's best practices into common and expected practices, and equip organizations to better understand that good cybersecurity risk management can be the same thing as good business.

You can expect any organization you routinely do business with to protect their physical security. You expect them to lock their doors and provide appropriate access restrictions to protect paper-based files to employees with need-to-know, job functions.

The same is true for cyber security. But the risk management systems used by many organizations are often less mature. What's needed is a way to easily communicate cyber security expectations across critical infrastructure sectors—from electric power generation to transportation to telecommunications—AND across the various levels within an organization from the C-suite executive to the individuals that work and provide specific services.

And fundamentally what's needed is a way for those organizations to also hold each other accountable for strong cybersecurity protections. This has to work across suppliers, between companies, between companies and consumers, so that there's a common language and an ability to work toward agreement on a given set of benchmarks for cybersecurity.

We also know that this depends on the size and the nature of an organization. A large electrical power plant needs a different type of cyber protection plan than a small bus service, but the underlying structure of what's needed is the same. The principles are the same. Both groups need to be able to identify, protect, detect, respond and recover to and from cyber threats.   And the framework provides a way for these organizations to match up their current efforts with best practices in these various functional areas and to gauge the maturity of their own cyber security systems. The framework also gives them a way to set goals so that they can map out a progression and strengthen their security, lower risks, and protect themselves and their consumers.

What the framework does not do is provide threat proofing. There is not a magic bullet here. This is not about eliminating cyber risks, it is about managing them effectively.

And I also want to emphasize, as I have many times throughout this process, this is not a once through. We are not done. Cyber threats are going to continue to evolve. Cyber risk management has to therefore evolve with them. This means the framework must be a living document that allows for continuous improvement as technologies and threats change and as organizations get more mature. And to make sure that the framework truly meets the needs of the critical infrastructure industry, it must evolve to meet business needs in real time.

So to help launch that process, NIST will host our fifth workshop on the framework at North Carolina State University in Raleigh, N.C., on Nov. 14-15. There we will be seeking one more round of input on the framework. And we will be discussing options for an industry-led governance structure going forward. After incorporating feedback from this event, we'll be issuing the official framework in February 2014 as directed by the President. As I said, we'll continue to work on the framework on a ongoing basis even after that.

There is absolutely no question that cyber threats are increasing. Critical infrastructure businesses and indeed the entire business community clearly need strong, tested ways to efficiently protect their data and their assets. We believe cybersecurity is good business.   We hope this new framework will be a flexible tool that companies will voluntarily use because it both improves their cybersecurity and improves their bottom line.

Thanks. At this point let me stop and I'll be happy to take any questions.