2nd Cybersecurity Framework Workshop
Carnegie Mellon University
May 29, 2013
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director
I really want to express my appreciation to Carnegie Mellon. They are our hosts today, and frankly, I couldn't think of better hosts to kick off this workshop process. As all of you know, Carnegie Mellon is known worldwide for its leadership in engineering and technical work. In fact, I remember taking some engineering classes here as I was a graduate student at Pitt. But in computer science and cybersecurity specifically, they are clearly world leaders. And their contributions to this field are substantial, including the efforts of the Software Engineering Institute, which itself has been an important collaborator for NIST and other government agencies for decades. And I just want to express my appreciation to them for what you will not see, which is all the hard work that went behind the scenes to make this conference and workshop a success.
I also want to start by thanking all of you for coming out to Pittsburgh and joining us for the next couple of days to commence this workshop process. It's been some time since February 12, when the President issued the Executive Order, and we've had a lot of high-level discussions with industry, with stakeholders, with Congress, and with our government partners. And we've really, I think, set the stage. I think the table is set to have a very meaningful process here, but the proof will be in the pudding, and today we're going to turn the corner and actually roll up our sleeves and begin the process of crafting this framework. And that simply would not be possible if it wasn't for the expertise and the knowledge and the participation of each and every one of you. I want to express my personal thanks to you, in advance, for everything you're doing to help make this a success.
At this point, we all know the basics. NIST was given a set of responsibilities under the Executive Order that included working with industry on the development of a framework to reduce cyber risks to critical infrastructure. So, what is a framework? Well, it was defined operationally. It is a set of core standards or methodologies or procedures or processes that when put into practice, would reduce cyber risk across sectors, across the full-range of quickly evolving threats. And I want to emphasize those key elements. It's basically anything that when put into practice, helps reduce cyber risk.
To meet this objective, we believe it is essential, absolutely essential, that the framework be your work product and not ours. It needs to reflect current best practices from across all of the sectors, it has to identify cross-cutting issues, and it has to be compatible with market conditions. And many of you have heard me and others talk about this since the announcement.
The NIST role under the Framework process is to support you. We will be here to convene, to provide technical expertise. We are not here to choose or develop particular standards or technical solutions. We are here to provide the structure and technical support to ensure that what we are here to develop and implement is based on the best practices across the critical infrastructure.
And this is an important point. As the President's executive order states, the framework must be "technology neutral" and enable "critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risk." It's this approach that allows us to ensure that technological innovation is preserved—that we keep the ability to adapt and change against both changing threats, but also against the changing and evolving technology itself. And very importantly, to do it in a way that is as integrated with business practices as possible. And I don't know how this can occur if this is not your work product.
So, what's the current status today—where are we?
Soon after the President's announcement, in fact immediately after the President's announcement, NIST issued a Request for Information—we always have acronyms, so we call it an RFI—to ask industry to share with us what you are doing now: how do your organizations identify and manage risk?. What challenges do you face in implementing those practices? What standards and policies do you already use? And a whole host of other questions.
And we've received a lot of responses; 244 of them. And these responses are the raw material, if you will, the starting point for the framework process that we begin to build today. Those that responded to our request, it was quite a diverse group. It ranged from individuals to the largest of our corporations, included trade associations and other stakeholders. They provided comments as brief as a few sentences on specific topics to comprehensive responses that ran over 100 pages. And later today, in fact later this morning, we will discuss our analysis of those comments and ask for your feedback to see if we captured the analysis right and if the methodology rings true.
But these RFI responses are designed to be a useful starting point for you. They're just the beginning. The role was to jumpstart the process. It was designed to get input from as many participants as we could with what is happening now. But the task now falls to you to begin to use that raw material and pull it together into a useful framework.
And I don't want to kid you; I don't think this is going to be easy. We're asking for a framework that represents a great diversity of critical infrastructure sectors. This framework, to be useful, has to flexible, but it also has to be prioritized. It has to be useable by senior leadership in the owner-operators of critical infrastructure—it has to be integrated with their business needs. But it also has to be tangible and meaningful to those that have to implement and manage IT systems in these organizations.
It has to reflect national and regional needs, but it has to be able to scale globally to be effective—that's one of the big wins, we believe, in this approach. And it has to be implemented by companies as diverse as small utilities up to our largest multinationals.
So today, we're going to begin the process of developing this framework. And specifically, how can we ensure that the standards and methodologies that we put down on paper both reduce risk and can be implemented? And I really want to emphasize that. I think those are the two key attributes of the framework.
What I can share with you is that based on other work we've done at NIST in many other areas, we know that industry is very good at developing approaches that can demonstrate conformance, compliance, and effectiveness against standards. This capability that you have can be used to support the needs of both the private and public sector. In fact, it is my hope that the government use will leverage this framework itself, and it will become the platform that we will build on in the U.S. government side as well. If it is protective to the critical infrastructure, we will work to maintain this as a voluntary industry-wide process. Addressing performance requirements in this way will allow the market to evolve, while at the same time, we ensure both security and promote innovation.
This "bottoms-up" approach also will allow solutions developed nationally to scale globally as other countries seek to solve what is really a common challenge to this global infrastructure. These foundational standards and practices in the framework will become the means of developing a secure platform on top of which companies can innovate—creating strong common language to empower collaboration and improve security. We hope to leave this workshop immediately already with some initial consensus on some of these early standards..
So, here are your marching orders. It's too bad it's going to be hot—you might want to get rid of your jackets and roll up your sleeves. So, here is what we hope to accomplish here in Pittsburgh over the next couple of days. And there really are two primary goals.
The first is to identify initial consensus. We need some quick wins. And specifically, we want to identify, based on what is happening right now in critical infrastructure in your sector, in your companies, what are a set of practices, standards, methodologies that you put in place now that you believe are effective, and that you know how to show that they are adopted. And I really hope that we leave this workshop in two and one-half days with a list already of framework elements of things that we can identify as common best practices. We're looking for best-in-class performance with this commercial technology.
The second goal, of course, will be the overall framework—the connective tissue, if you will, of this framework. And that is to start to develop the cross-sector principles that are there, identify some of the common threads and themes that cut across sectors, and in particular, we fully expect the framework will not be a quilt that covers everything. We're going to see, immediately as we do this, that there are gap areas. And it is our hope that these gap areas lead to work streams where we all agree to work together to close those gaps.
So, all of the outputs we create in this workshop in Pittsburgh are going to be the starting point for the next workshop, which I am pleased to announce is going to be on July 10th through the 12th at the University of California in San Diego. So, we hope to see many, or all of you there, as well. So, with the short time frame we have in the Executive Order process, these workshops must build on each other. So, the other task you have is to give that workshop the strongest possible starting point, because after that, there's really only one more and we're quickly into the final draft point.
To structure this initial effort and this initial workshop, and based on the input we received from the RFI, today, we have identified four main topics:
- The Business of Cyber Risk;
- Threat Management;
- Cybersecurity Dependencies and Resiliency;
- and Cybersecurity Progression and Maturity.
Now those topics tie directly to key themes that we heard in the RFI over and over again and they include:
- One, that cybersecurity risk must be managed through a decision-making processes that's matched and integrated with the organization's overall business needs. Risk management really provides a key tool for doing that integration.
- The other theme we heard was that the evolving threat space means that the critical infrastructure needs to have a capacity to understand, analyze, and adapt to a variety of threats. So, adaptability.
- And another theme we heard is that the sectors rely on the delivery of critical services, devices, and functions from a whole host of folks—we're dependent on others. And those companies and capabilities that we depend on have to be part of this process—what are they and how do we integrate them?
And finally, a key theme we heard is that cybersecurity is absolutely not a one-size-fits-all. The implementation has to be adaptable to the specific needs of specific sectors, and it has to be adaptable to the great diversity of organizations that are going to be applying it, from small businesses to the very largest, as we talked about.
Beyond these discussions, we hope you can leave here today with a set of key principles for the framework, and more than that, an initial set of standards, best practices, and protocols that begin to empower owners and operators of critical infrastructure.
In addition, we hope that the discussions will also start to identify the cross-cutting issues in regard to setting up the work streams that we will need downstream.
Now, I don't pretend to believe that all the discussions we are going to have this week are going to be met with uniform, unanimous consent, or maybe even full consensus. In fact, that's okay. The framework will be better if we start by bringing in all of the viewpoints, all of the diversity, all of the approaches that we take. But ultimately, we're going to have to move beyond this sort of brainstorming phase and develop some consensus on what constitutes best practice in the framework. And again, not just what the best practice is, but what do we believe the impact is? Why is it a best practice? And too, how do we show that it can be put into practice, the adoption piece?
And to get everyone warmed up on this process—this morning is designed carefully to get your juices going—we'll hear from those at NIST who conducted the analysis of the RFI and some thoughts from them on how that input can be used in the framework and discuss some of the key challenges.
We also believe there were some gaps, even in the comments from the RFI, and we need to make sure we have a discussion with all of you to identify those gaps, because you're going to be asked to help us fill those gaps as part of this.
So, I hope you will use this morning's panel to sort of hear what came in and get a chance to ask your questions about both the input we received, the approach we used to look at it, and what you think really deserves attention that was brought in on the RFI, but also things that you think are missing.
And then after lunch, the ball is going to be in your court. I guess my only parting advice to you would be to take the big view. What we are being asked to do is to develop a framework most useful to industry, but one that will protect the nation's most critical infrastructure from harm.
We absolutely believe that the best outcome for everybody is if what we do is integrated with innovation and business opportunity and embraces the world that we all live in. But on the other hand, it simply has to perform. We are talking about infrastructure, which its failure would pose a catastrophic impact to the country itself. The stakes could not be higher.
And again, I am very optimistic just given the participation and the fact that you all came to join us in this. I want to thank you, once again, for doing that—for taking time from your schedules to do this. We at NIST are here to do everything we can to make this a success, to make your workshop experience positive.
And with that, I'm going to turn it over to Adam Sedgewick, who is our point person on the Executive Order process, and he will discuss the overall approach of the framework development process.
Thank you, and good luck.