Draft NIST Cybersecurity Framework Implementation Guide for Federal Agencies

The National Institute of Standards and Technology (NIST) issued for public comment a draft version of a cybersecurity framework implementation guide for federal agencies, in support of President Trump’s new cybersecurity executive order that requires federal agencies adopt the NIST framework.

The report illustrates eight use cases in which federal agencies can leverage the Cybersecurity Framework to address common cybersecurity-related responsibilities.
The eight use cases are:
  1. Integrate Enterprise and Cybersecurity Risk Management 
  2. Manage Cybersecurity Requirements
  3. Integrate and Align Cybersecurity and Acquisition Processes 
  4. Evaluate Organizational Cybersecurity
  5. Manage the Cybersecurity Program
  6. Maintain a Comprehensive Understanding of Cybersecurity Risk 
  7. Report Cybersecurity Risks
  8. Inform the Tailoring Process 
Comments are due by June 30, 2017.

Draft NISTIR 8170 The Cybersecurity Framework

 

President Signs Cybersecurity Executive Order

The President signed his long-delayed cybersecurity executive order (EO) today.

Section 1: Cybersecurity of Federal Networks
The first section of the EO is focused on strengthening the cybersecurity of federal networks. It says that the President will hold the heads of executive departments and agencies accountable for managing cybersecurity risk of their enterprises, but it does not include any consequences. The agency heads will also be accountable for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes. This section calls for the following:
  1. Agency heads are directed to use the National Institute of Standards and Technology (NIST) Framework to manage the agency’s cybersecurity risk, and they will provide a management report to the Department of Homeland Security (DHS) Secretary and Office of Management and Budget (OMB) Director within 90 days (due 8/9/17). The report will document the risk mitigation and acceptance choices made by each agency including the strategic, operational, and budgetary considerations that informed those choices and any accepted risk. The report will also include the agency’s action plan to implement the NIST Framework. The DHS Secretary and OMB Director will then assess each report to determine if the choices are appropriate and sufficient, and within 60 days (latest 10/8/17) of receipt then submit a report to the President (through the Assistant to the President for Homeland Security and Counterterrorism). The report for the President will include the determination and plan to protect the executive branch, budgetary needs, a regular process for reassessing future unmet budgetary needs, and policy, standards and guidelines that are aligned with the NIST Framework. The agency risk reports could be classified in full or in part.
  2. In order to build and maintain resilient federal IT architecture, agency heads should show preference for shared IT services including email, cloud, and cybersecurity services. The Director of the American Technology Council will issue a report within 90 days (due 8/9/17) with the DHS Secretary, OMB Director, GSA Administrator and Commerce Secretary that will describe the legal, policy, and budgetary considerations for federal agencies to transition to consolidated network architectures and shared IT services.
  3. For any National Security System, the Secretary of Defense and Director of National Intelligence (DNI) will implement the EO to the “maximum extent feasible and appropriate.” They will provide a report to Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism within 150 days (due 10/8/17).
Section 2: Cybersecurity of Critical Infrastructure (CI)
The second section of the EO focuses on strengthening the cybersecurity of our nation’s critical infrastructure (CI). The President asserts that it is the administration’s policy to support the cybersecurity risk management efforts of the owners and operators of our nation’s CI. This sections calls for the following:
  1. The DHS Secretary in coordination with the Secretary of Defense, Attorney General, DNI, FBI Director, the heads of appropriate sector-specific agencies, and other appropriate agency heads will identify the authorities and capabilities that federal agencies could employ to support the cybersecurity efforts of CI entities and determine whether and how the authorities and capabilities might be employed. They will provide the President with a report within 180 days (due 11/7/17) that may be classified in full or in part. They will be required to provide an updated report to the President on an annual basis thereafter.
  2. The DHS Secretary and Secretary of Commerce will provide a report to the President that examines the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by CI entities (focused on publicly traded CI entities) within 90 days (due 8/9/17).
  3. The DHS Secretary and Commerce Secretary will identify and promote action by appropriate stakeholders to improve the resilience of the internet and communication ecosystem to ensure resilience against botnets and other automated, distributed threats and will make publicly available a draft report within 240 days (due 1/6/18). And within a year, they will submit a final version of this report to the President.
  4. The Secretary of Energy and DHS Secretary will assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident, the readiness of the US to deal with an incident, and gaps in assets and capabilities to mitigate consequences of such an incident. The assessment will be provided to the President within 90 days (due 8/9/17).
  5. The Secretary of Defense, DHS Secretary, and FBI Director will provide a report to the President within 90 days (due 8/9/17) that outlines the cybersecurity risks facing the defense industrial base, including its supply chain, and the U.S. military platforms, systems, networks, and capabilities. The report will also include recommendations for mitigating these risks. The report may be classified in full or in part.
Section 3: Cybersecurity for the Nation
Finally, the third section of the EO focuses on cybersecurity for the nation. The administration wants to promote and open, interoperable, reliable, and secure internet as well as support the growth and sustainment of a cybersecurity workforce. This section calls for the following:
  1. The Secretary of State, Treasury Secretary, Defense Secretary, AG, Commerce Secretary, DHS Secretary, and U.S. Trade Representative will issue a report to the President within 90 days (due 8/9/17) on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
  2. The Secretary of State, Treasury Secretary, Defense Secretary, Commerce Secretary, and DHS Secretary will issue reports to the President within 45 days (due 6/25/17) on their international cybersecurity priorities including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of submitting the reports, the Secretary of State shall provide a report to the President documenting an engagement strategy for international cooperation in cybersecurity.
  3. The Secretary of Commerce and the DHS Secretary will jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce. Within 120 days (due 9/8/17), they will provide a report to the President with their findings and recommendations.
  4. The DNI will review the workforce development efforts of potential foreign cyber peers in order to develop best practices and within 60 days (due 7/10/17) provide a report to the President on his findings.
  5. The Secretary of Defense will assess the scope and sufficiency of U.S. efforts to  maintain or increase its advantages in national security-related cyber capabilities and issue a report within 150 days (due 10/8/17) to the President with his findings and recommendations.

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

 

Commission on Enhancing National Cybersecurity Report to President with Recommendations

In February, President Obama signed an Executive Order establishing within the Department of Commerce the Commission on Enhancing National Cybersecurity. The Commission’s goals are to: enhance cybersecurity awareness and protections at all levels of government, business, and society; protect privacy; ensure public safety and economic and national security; and empower Americans to take better control of their digital security. The Commission is composed of 12 members from industry, academia, and government chaired by former Obama National Security Advisor Tom Donilon who were tasked with providing detailed short- and long-term recommendations to the President by December 1, 2016. To develop their recommendations, the commissioners consulted technical and policy experts, solicited input from the public through open hearings and a request for information, and reviewed existing literature. Those recommendations were released publicly today.

The recommendations cover six major imperatives of cybersecurity:
1. Protect, defend and secure today’s information infrastructure and digital networks
2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy
3. Prepare consumers to thrive in a digital age
4. Build cybersecurity workforce capabilities
5. Better equip government to function effectively and securely in the digital age
6. Ensure and open, fair, competitive, and secure global digital economy
The six imperatives contain a total of 16 recommendations and 53 associated action items that the next administration can pursue.
Link to the report:

Below is the President’s statement on the Commission’s report:

The White House
Office of the Press Secretary
For Immediate Release

Statement by the President on the Report of the Commission on Enhancing National Cybersecurity

In February of this year, I directed the creation of a nonpartisan Commission on Enhancing National Cybersecurity, charging it with assessing the current state of cybersecurity in our country and recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world.  Yesterday, the members of the Commission – leaders from industry and academia, many with experience in government – provided their findings and recommendations to me.  And earlier today I met with the Commission’s Chair, Tom Donilon, to discuss how we as a country can build on the Commission’s work and enhance our cybersecurity over the coming years.  I want to thank the Commission members for their hard work and for their thoughtful and detailed recommendations.  I am confident that if we implement the Commission’s recommendations, our economy, critical infrastructure, and national security will be better equipped to thrive in the coming years.

The Commission’s report makes clear that cybersecurity is one of the greatest challenges we face as a nation.  That is why I have consistently made cybersecurity a top national security and economic security priority, reflected most recently by the Cybersecurity National Action Plan I announced in February and my 2017 Budget, which called for a more than 35 percent  increase in Federal cybersecurity resources.

During my Administration, we have executed a consistent strategy focused on three priorities:

  1. Raising the level of cybersecurity defenses in the public and private sectors;
  2. Deterring and disrupting malicious cyber activity aimed at the United States or its allies; and
  3. Effectively responding to and recovering from cybersecurity incidents when they occur.

To strengthen our cybersecurity defenses across the country, in 2013 we convened experts from industry, academia and civil society to create the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  As the Commission notes, the Framework has become the gold standard for cybersecurity risk management, and I wholeheartedly support the Commission’s recommendations to expand its usage in the Federal government, the private sector, and abroad.  We encouraged the formation of information sharing and analysis organizations, worked with Congress to enact tailored liability protections for private sector entities that share threat information with the government, and took steps to automate information sharing.  As the Commission calls for, we launched public campaigns to promote cybersecurity awareness among consumers, including the “Lock Down Your Login” campaign encouraging consumers to better secure their identities online.  We have given consumers more tools to secure their financial future by assisting victims of identity theft, improved the government’s payment security, and accelerated the transition to next-generation payment security.  We have invested in cybersecurity research and development to lay the groundwork for stronger cyber defenses in the future.  And I have clarified the roles and responsibilities of Federal agencies in responding to significant cyber incidents by issuing a new directive codifying eight years of lessons learned from incident response.

To strengthen government cybersecurity, we created the first-ever federal Chief Information Security Officer and drove dramatic improvements in Federal agencies’ use of strong authentication and in critical vulnerability patching.  We have pushed to reduce the Federal government’s reliance on legacy technologies, proposing an innovative $3.1 billion fund to modernize costly and vulnerable information technology (IT) systems – a fund that the Commission proposes to expand.  We updated the guidance for Federal agency IT management, cybersecurity, and privacy, introducing the kind of coordination that the Commission calls for.  Agencies are increasingly centralizing their cybersecurity efforts and relying on the Department of Homeland Security (DHS) for shared services like vulnerability detection, network discovery and monitoring, intrusion detection and prevention, and cybersecurity assessments of high priority IT systems.  Consolidating DHS’ cybersecurity and infrastructure protection missions within a single DHS line agency – as my Administration has proposed, and as the Commission recommends – would further strengthen DHS’ ability to support Federal and critical infrastructure cybersecurity.  Finally, consistent with the Commission’s emphasis on improving the Nation’s cybersecurity workforce, my Administration has issued a comprehensive workforce strategy and has hired more than 6,000 new cybersecurity professionals in the Federal government in 2016 alone.

As the Commission recognizes, we have championed the application of international law to cyberspace; promoted voluntary international norms of state behavior during peacetime, securing over 30 countries’ commitment to these norms in the G20 and other international fora; and committed to confidence building measures to reduce escalation risk.  We have secured commitments from China and other nations to oppose cyber-enabled theft of intellectual property and business secrets for commercial gain, sought to modernize the Mutual Legal Assistance process, and submitted legislation to enable greater cross-border data sharing between law enforcement agencies – another effort the Commission strongly supports.  We have developed additional tools and cyber capabilities to deter and disrupt malicious cyber activity aimed at the United States.  Finally, we created the Cyber Threat Intelligence Integration Center to ensure that there is a single government-wide source for integrated intelligence assessments on cyber threats

In total, the Commission’s recommendations affirm the course that this Administration has laid out, but make clear that there is much more to do and the next Administration, Congress, the private sector, and the general public need to build on this progress.  Deepening public-private cooperation will help us better protect critical infrastructure and respond to cyber incidents when they occur.  Expanding the use of strong authentication to improve identity management will make all of us more secure online.  Increasing investments in research and development will improve the security of products and technologies.  Investing in human capital, education, and the productivity of the cybersecurity workforce will ensure that this country’s best and brightest are helping us stay ahead of the cybersecurity curve.  Continuing to prioritize and coordinate cybersecurity efforts across the Federal government will ensure that this critical challenge remains a top national security priority.  And furthering the promotion of international norms of responsible state behavior will ensure that the global community is able to confront the ever-evolving threats we face.

The Commission’s recommendations are thoughtful and pragmatic. Accordingly, my Administration strongly supports the Commission’s work, and we will take additional action wherever possible to build on the work my Administration has already undertaken and to make progress on its new recommendations before the end of my term.  Importantly though, I believe that the next Administration and the next Congress can benefit from the Commission’s insights and should use the Commission’s recommendations as a guide.  I have asked the Commission to brief the President-Elect’s Transition Team at their earliest opportunity.  Further, we must provide sufficient resources to meet the critical cybersecurity challenges called out in the Commission’s report.  Before Congress adjourns for the year, it must act to fully fund the urgent cybersecurity needs that my Administration has identified in my 2017 Budget and elsewhere, investing in areas such as securing Federal information technology systems, protecting critical infrastructure, and investing in our cybersecurity workforce.

As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace – but only if we take additional bold action to do so.  My Administration has made considerable progress in this regard over the last eight years.  Now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world.

Cybersecurity Presidential Policy Directive (PPD-41)

The President signed a Presidential Policy Directive (PPD) this week that sets forth principles for the Federal Government’s response to any cyber incident, whether it involves other governments or private sector entities. The principles are shared responsibility, risk-based response, respecting affected entities, unity of effort, and enabling restoration and recovery. For significant cyber incidents, the PPD establishes lead federal agencies and an architecture for coordinating a broader Federal Government response to the incident.

PPD-41 also delineates government agency roles during cyber incidents. The Department of Justice (DOJ), Department of Homeland Security (DHS), the Office of the Director of National Intelligence (ODNI), and other related agencies make up the Cyber Unified Coordination Group, which will be the main go-between for responding to major cyber events. DOJ (through the FBI and the National Cyber Investigative Joint Task Force) will lead on threat response, DHS is charged with asset response, and ODNI will take the lead on the analysis and intelligence aspect of the response. For threat response, DOJ will communicate with stakeholders at an affected organization and with law enforcement to collect evidence and intelligence, stop the immediate cyber threat, and start the information sharing process with DHS. Asset response involves helping the victim find the bad actor on its system, repair the system, patch the vulnerability, reduce the risks of future incidents, and prevent the incident from happening to others.

The PPD also directs DHS to lead the effort to write the National Cyber Incident Response Plan. This Plan will set out how the federal government will work with the private sector and state, local, and territorial governments in responding to a significant cyber incident.

Presidential Policy Directive — United States Cyber Incident Coordination:

https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident

Annex for Presidential Policy Directive — United States Cyber Incident Coordination:

https://www.whitehouse.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident

FACT SHEET: Presidential Policy Directive on United States Cyber Incident Coordination:

https://www.whitehouse.gov/the-press-office/2016/07/26/fact-sheet-presidential-policy-directive-united-states-cyber-incident-1

Statement by DHS Secretary Jeh Johnson:

https://www.dhs.gov/news/2016/07/26/statement-secretary-jeh-c-johnson-regarding-ppd-41-cyber-incident-coordination

FY17 Appropriations Update – July 1, 2016

Senate

The Senate Appropriations Committee completed work on all of its 12 annual spending bills this week when it marked up its $52.08B FY17 State Foreign Operations appropriations bill in subcommittee and full committee. The bill was approved on a 30 to 0 vote. It is $591M below the FY16 enacted level and $687.4M below the President’s FY17 budget request. Of the $52.08B amount, $37.19B is for enduring costs and $14.89 billion is for Overseas Contingency Operations (OCO). This is the earliest the committee has finished its work since 1988.

Senate FY17 State Foreign Operations Bill Text:

https://www.vantagepointstrat.com/senate-fy17-state-foreign-ops-bill-text-6-29-16/

Senate FY17 State Foreign Operations Report Language:

https://www.vantagepointstrat.com/senate-fy17-state-foreign-ops-report-language-6-29-16/

Majority Bill Summary:

http://www.appropriations.senate.gov/news/majority/fy2017-state-and-foreign-operations-appropriations-bill-gains-subcommittee-approval

Minority Bill Summary:

http://www.appropriations.senate.gov/news/minority/fy17-state-and-foreign-operations-subcommittee-markup-bill-summary

FY17 Military Construction-Veterans Affairs and Zika Virus Funding Conference Agreement

The Senate failed to invoke cloture on the FY17 Military Construction-Veterans Affairs and Zika virus funding conference agreement. The vote was 52 to 48 with two Republicans voting against clotures (Mike Lee of Utah and James Lankford of Oklahoma) and one Democrat (Joe Donnelly of Indiana) voting for it. After the vote failed, Senate Majority Leader Mitch McConnell (R-KY) vowed to bring the measure back to the floor after the July 4th recess, but Senate Majority Whip John Cornyn (R-TX) said that he did not expect Republicans to reopen negotiations with Democrats on Zika funding.

Middle East Emergency Funding Package

Sen. Lindsey Graham (R-SC) indicated this week that he has held preliminary discussions with Senate Appropriations Ranking Member Barbara Mikulski (D-MD) regarding $4B emergency funding package aimed at helping Middle East allies (e.g. Lebanon and Jordan) cope with the Syrian refugee crisis.

Subcommittee House Senate
Agriculture Subcommittee: April 13

Full Committee: April 19

Subcommittee: May 17

Full Committee: May 19

Commerce-Justice-Science Subcommittee: May 18

Full Committee: May 24

Subcommittee: April 19

Full Committee: April 21

Floor: Week of June 27

Defense Subcommittee: May 11

Full Committee: May 17

Floor: June 16

Subcommittee: May 24

Full Committee: May 26

Energy & Water Subcommittee: April 13

Full Committee: April 19

Floor: Pulled after voted down

Subcommittee: April 13

Full Committee: April 14

Floor: May 12

Financial Services Subcommittee: May 25

Full Committee: June 9

Floor: Pulled after Democrat sit-in for gun control

Subcommittee: June 15

Full Committee: June 16

Homeland Security Subcommittee: June 9

Full Committee: June 22

Subcommittee: May 24

Full Committee: May 26

Interior Subcommittee: May 25

Full Committee: June 15

Subcommittee: June 14

Full Committee: June 16

Labor HHS Education   Subcommittee: June 7

Full Committee: June 9

Legislative Branch Subcommittee: April 20

Full Committee: May 17

Floor: June 10

Full Committee: May 19
Military Construction – Veterans Affairs Subcommittee: March 22

Full Committee: April 13

Floor: May 19

Conference: June 23

Subcommittee: April 13

Full Committee: April 14

Floor: May 19

Conference: Week of June 27

State Foreign Operations Subcommittee: July 6 Subcommittee: June 28

Full Committee: June 29

Transportation HUD Subcommittee: May 18

Full Committee: May 24

Subcommittee: April 19

Full Committee: April 21

Floor: May 19

 

FY16 vs. FY17 302(b) Allocations

  FY16 302(b) FY17 House 302(b) FY17 Senate 302(b)
Agriculture $21.75B $21.3B $21.2B
Commerce Justice Science $55.7B $56B $56.3B
Defense* $572.7B $575.7B $572.7B
Energy & Water $37.2B $37.4B $37.5B
Financial Services $23.2B $21.7B $22.4B
Homeland Security* $41.12B $41.1B $41.2B
Interior $32.16B $32.095B $32.03B
Labor HHS Education $162.1B   $161.9B
Legislative Branch $4.37B $3.48B

(excludes Senate only items)

$4.4B
Military Construction/VA* $79.9B $81.6B $83B
State Foreign Ops* $52.68B $52.0B $52.1B
Transportation HUD $57.6B $58.2B $56.5B

*Includes Overseas Contingency Operations (OCO) funding.

 

White House Cybersecurity Framework

Today the Administration released their Cybersecurity Framework, which is a voluntary how-to cybersecurity guide for critical infrastructure (CI) organizations. The framework was part of the Executive Order the President released last February and was developed by the US National Institute of Standards and Technology (NIST) with input from businesses. The Framework is comprised of three components:

  • The Framework Core is a set of cybersecurity activities and informative references that are common across CI sectors. The cybersecurity activities are grouped by five functions that provide a high-level view of an organization’s management of cyber risks:
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover
  • The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
  • The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.

Though the adoption of the Framework is voluntary, DHS is partnering with the CI community to encourage use of the Framework. They have established the Critical Infrastructure Cyber Community (C3 pronounced “C Cubed”) Voluntary Program as a public-private partnership to increase awareness and use of the Framework. The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them.

NIST also released a roadmap (https://www.vantagepointstrat.com/wp-content/uploads/2014/02/roadmap-021214.pdf) detailing next steps for the framework. They plan on holding at least one workshop within the next six months to provide a forum for stakeholders to share experiences in using the Framework. NIST will also hold a privacy workshop in the second quarter of 2014 with the intention of advancing “the identification of technical standards and best practices” for mitigating cybersecurity impacts on privacy and civil liberties.

Federal executive branch civilian agencies are evaluating how they will use the Framework to enhance the protection of their systems, and State and local governments are also looking at how they can leverage capabilities found in the Framework to assist managing their cybersecurity risk. DHS is developing the Voluntary Program to respond to state and local government needs, and it is examining incentives tailored to these stakeholders.

DOD GSA Baseline Cybersecurity Requirements for Federal Contractors

DOD GSA Report Improve Cybersecurity Through Acquisition 1-23-14

DOD and GSA released the above report last week. It is one of the components called for by the President’s cybersecurity Executive Order (EO 13636) issued on February 12, 2013. The report provides recommended baseline cybersecurity requirements aligning Federal cybersecurity risk management and acquisition processes. The goal is for the government to not buy products or services with inadequate built-in cybersecurity. While the report focuses its recommendations on increasing the use of cybersecurity recommendations in Federal acquisitions, it also recommends the following:

* Address cybersecurity when training the federal acquisition workforce
* Use common cybersecurity definitions in federal acquisition regulations
* Increase “government accountability” for cyber risk management
* Institute a Federal Acquisition Cyber Risk Management Strategy
* Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions.

DOD and GSA are now expected to develop an implementation plan that may be open to public comment.