NIST logo
*

Cybersecurity Framework Workshop
Department of Commerce Auditorium
April 3, 2013
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director 




Pat Gallagher:  Well, good morning everybody.  It's a real pleasure to be here. Let me begin by thanking Deputy Secretary Lute.

One of the things that you've heard already this morning, just in the opening remarks, is the extent to which the Executive Order laid out a process of collaboration, almost more than anything. And that's critically important, because what we're talking about with cybersecurity is the performance of a system—a system that's bigger than any one company. It's, in fact, bigger than the government; and, in fact, it requires a partnership between peer companies, between companies that you depend on, maybe even your competitors.

And it also calls upon a public-private partnership, and as you heard Deputy Secretary Lute point out, a very robust partnership even within the federal government. And what we're really here today to begin talking about is a key part of this framework.

This is the first of what will be a series of workshops that NIST will be convening to support the development of the Cybersecurity Framework. This is an important milestone. This is the first of these workshops that we will be using to carry out what we've been asked to do under the President's Executive Order.

What I'm going to do this morning is make a few remarks about our role to sort of set expectations, and then I'm going to turn to our first panel. And I'll be introducing them to begin to look at the role of cybersecurity from the perspective of a cross section of industry stakeholders, so they can present their views on the approach of the Executive Order and how their companies view cybersecurity in this day and age.

Let me talk first about the approach we're taking to develop the framework.  As we all have heard, NIST is responsible, under the Executive Order, to lead the development of the framework to reduce cyber risk to critical infrastructure. And by "framework," we mean that set of core standards, methodologies, procedures, processes—whatever it takes to put into practice—that would be applicable across sectors to achieve and support this new baseline that you heard Michael talk about.

Soon after the President's announcement to support this effort, NIST issued a Request for Information, called an RFI, to ask you what you are doing now: How do your organizations manage risk? What challenges do you face? What standards and policies do you already use? And many other questions.  And that began our initial conversation with you in development of the framework and one that we continue to support today. And as you've heard, this brainstorming phase, if you will, this gathering of ideas, the RFI closes next week. Today's event continues this.

As Deputy Secretary Blank mentioned, we are asking for responses by April 8, next Monday. Those responses will become public and will serve as the foundation for the framework process. And we will follow that phase by working in forums to work with this gathered information and work hand in hand with you to organize and develop the framework.

I hope that all of you here today and all of you watching the workshop online are preparing your responses, because it's a critical part of this process. The RFI responses will enable us to make an initial determination on what standards and practices are already in place that industry is using, and will serve as a foundation for our efforts.

Our role with the framework at NIST is to support you. This is important. While the President directed me to develop the framework, this is one of those cases where the right kind of leadership is to lead by following, because this framework of practice is one that has to be baked into your businesses and to your interests and to be put into practice in your daily lives, if you will. The President's Executive Order states that the framework must be technology-neutral and it must enable critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed—the framework—to address cyber risk. In other words, we will not be seeking to tell industry how to build your products or how to run your business. Instead, we are relying on critical infrastructure industries to dictate their needs for technology products and services and allow the market to be able to evolve in a way that embraces both security and innovation.

This bottoms-up approach is not unlike NIST work in other areas that you may be familiar with, including smart grid, electronic health records, and even includes our work in things like atomic clocks and advanced materials and computer chips. It's this approach that allows solutions to develop nationally to scale globally, as other countries seek to solve the same problem.

The foundational standards and practices in the framework will become the means of developing a more secure platform on top of which companies can continue to innovate.  It will create a strong common language to empower collaboration and improve security.  And that is why we are seeking your participation in this process.

As the director of NIST, I can assure you that we will meet the President's charge to develop the framework, but the product will only be useful if it's your work product, if it's based on your input.  Without your participation, our assessment of where industry is may not be accurate and the framework will not provide a proper reflection of what we can do to enhance security.

Following today, and the responses that are due by Monday, we will be scheduling a series of real workshops—multi-day events to actually roll up our sleeves with you and develop the framework.  The first of these workshops has just been announced.  It will be hosted by Carnegie Mellon University in Pittsburgh on May 29-31. I hear Pittsburgh's a great place to spend Memorial Day, so mark your calendars.  And following that, we are tentatively planning sessions during the weeks of July 15 and September 9.

These will support the framework process before the first draft is released in October. During these sessions, the framework itself will actually be drafted. The topics will largely be shaped by the input we received from you. But our initial plan is to organize along three main topic areas:  managing risk, cyber hygiene, and tools and metrics.  This is because based on what we've heard already from our stakeholders in government and industry, these are the pieces that will be critical:  How do we prepare for the evolving threat? What are the core practices that should be considered regardless of your organization and mission? And what are the tools and techniques to support those goals?

As we do this analysis with industry, we will be looking both to existing standards and sector-specific guidance that already exists, with an eye to working beyond your envision by the Executive Order.  In other words, we view this as being an ongoing process, a living document.

What are the principles that apply across sectors? What are the gaps that we will need to fill collaboratively with our partners in government and industry? How do we develop a process and a governance model to allow industry to continue to take leadership in this Cybersecurity Framework?  These are the questions, and more, that we will be exploring today in this event. We're going to hear from industry perspectives in our first panel; and you're going to hear from a set of information sharing and advisory centers, or ISACs, to discuss how various sectors see the threat space and how the framework can be used to support those threats.

We will also hear from a group of organizations that have worked to develop a set of guidance for their sectors, to discuss important considerations and lessons learned for the framework, as well as what they think is truly applicable across sectors.

And last, we'll present NIST and Department of Homeland Security staff to answer questions about the process going forward.

So, today is not going to be the consensus reaching.  This is about continuing the brainstorming and making sure that every good idea, every existing practice that is germane to this is put on the table; and this is about getting organized for success. The success of this framework will rely on hearing from a wide range of diverse views and making sure we structure ourselves appropriately. The discussions today will help us get closer to our goal of empowering owners and operators of critical infrastructure, and many others, to make the best possible decisions in regards to identifying and preventing cybersecurity attacks.

I want to thank all of you for making time today on rather short notice and agreeing to work with us on this effort.