What NIST is hearing from industry about critical infrastructure cybersecurity

Some things in life are certain. Death, taxes and, wait for it: updates to NIST cybersecurity documents.

Some things in life are certain. Death, taxes and, wait for it: updates to NIST cybersecurity documents. Now the National Institute of Standards and Technology is evaluating comments for a revision to guidance on critical infrastructure cybersecurity. For an overview of the more than 100 comments NIST has received, Federal Drive with Tom Temin spoke with attorney and Wiley Rein partner, Megan Brown.

Interview Transcript: 

Tom Temin And just briefly, why would Wiley Rein be looking at all of these comments? You’ve got cybersecurity practice in your DNA there.

Megan Brown Yes, We have a lot of clients who are government contractors who are in critical infrastructure, who are technology companies. And we’ve been involved with the NIST cyber framework since its inception more than a decade ago when President Obama issued his executive order. So we care deeply about how this evolves.

Tom Temin And most of the commenters, you have a link to the commenters, are a few individuals, but mostly corporate types of things. What’s your sense of what this guidance update is all about?

Megan Brown So they’ve done a previous update several years ago and the feeling is, it’s a really important document that has been successfully received by the private sector. NIST has won a bunch of awards for their collaboration and building this thing that people really do use. It’s also started to be used overseas, which is great. But there’s a feeling that it’s been several years and the cyber threat landscape has changed and we might be a little more mature in our sense of what companies should be doing. And so they’re adding some additional things to the NIST cyber framework and broadening its scope, quite frankly.

Tom Temin Yes. And I imagine that a lot of the industrial control systems, which would be a subset of critical infrastructure, have evolved a lot in recent years from being maybe legacy programing with ancient operating systems to the new Internet IP-based types of services that are available across the software landscape. And that might have changed the picture, making them more vulnerable.

Megan Brown Well, I think what the government is grappling with is this convergence of the operational technology and information technology. I will say a lot of the comments and other work streams show that there is still a heavy base of installed OT that people are concerned about, but that is being managed. But that’s a challenge that this document from NIST and many other documents are trying to grapple with is how to deal with the convergence of OT and IT, as people refer to it.

Tom Temin And because this has general acceptance in the form that it was already in, the comments seemed to be supporting what NIST is doing.

Megan Brown In certain respects. I think what we’ve seen, NIST, they’re taking a gradual approach like they did before. They’ve done a bunch of workshops. They’ve just put out a discussion draft or a concept paper that is out for public comment sort of towards the end of this month. They’re hoping to get feedback on it before they iterate to the next draft. Some of the comments are supportive of some of these moves, but there is some caution in the comments being urged about major changes to the structure of the document or addition of sort of wholly new concepts. And I’m happy to describe some of those friction points in the comments. But I think you’re right generally, I think people are on board with an update. It’s just kind of let’s not break stuff in the course of updating it.

Tom Temin Sure. And what were some of the friction points? Just highlights.

Megan Brown So I think a lot of people are concerned about the addition of new functions. So the way the framework is structured in the document is there’s these five functions that make up the core of this approach. And that approach is a process based approach, and NIST wants to add a governance function. And so there’s some friction in the comments with some industries kind of suggesting that maybe we don’t need a whole new function. It might be duplicative of other things that are already in there or others saying if you’re going to add a governance function, which is about organizational management and accountability, make sure it’s very flexible. Because for the types of diverse companies and organizations that would use this document, they’re going to tackle something like governance in very different ways. And I think NIST has heard that feedback.

Tom Temin Yes, because you have, as you say, associations that are responding. But looking at some of the commenters, they range from Capital One to American Airlines, I see on there XL Energy and those types of companies, very often cyber, is so close to the mission delivery that they really probably have that governance already and maybe don’t feel like they need something extra.

Megan Brown Well, the additional challenge I see. I think that’s right, and I agree with that. But the additional challenge that I think came out in a few of the comments was the Securities and Exchange Commission, for example, has a proposed rule for public companies that will affect – it is intended to affect – corporate governance and accountability. And so there is a bit of a concern that there’s a lot of things still moving on policy, and it might be a little premature to get too specific about what governance might look like, especially given other agencies like the TSA. There’s other agencies that are in cyber. And so it’s this sort of marrying everything up that I think makes people a little worried.

Tom Temin We’re speaking with Megan Brown. She’s a partner at the law firm Wiley Rein. And could some of that skittishness be in a bigger context that pretty much everywhere you look, mainly on the acquisition front and federal procurement front, that the regulations just keep piling on and piling on from the Biden administration?

Megan Brown I think there is a bit of that now. From my client’s perspective and my perspective, the NIST cyber framework has always been a refreshingly voluntary, flexible approach. So I think people want to preserve it as compared to some of these new regulatory constructs, some of which are looking to build on the framework. And that might be helpful to a degree. But there is this underlying concern that you really hit the nail on the head there, that some regulators may pick up the NIST cyber framework and convert it into a regulatory baseline, and I think there is concern about that as well.

Tom Temin And so what are you advising your clients to do to react to this? I mean, the comments are still open, correct?

Megan Brown Yes. Yes, the comments are still open. So my advice to whether it’s a government contractor or a technology company, critical infrastructure is to look at what they’re proposing and ask yourself, if this became some sort of mandatory obligation or a regulator came and said, what do you do with this? How would you answer that? The other piece that I think we’re advising folks is DHS and other agencies are still moving very quickly on other fronts. So you have these cybersecurity performance goals that the Department of Homeland Security has put out under an executive order, and they’ve received comments urging them as much as possible to harmonize what they’re doing within this cybersecurity framework. And so that’s another place I tell folks pay attention to what DHS is doing with these performance goals because they too may ultimately be used or misused as a basis for regulation or oversight.

Tom Temin Right. The more diffuse these efforts get across the government, sometimes the less coordinated they also get.

Megan Brown It’s a real challenge. You’ve got TSA, Transportation Security Administration put out security directives that are quite prescriptive. They have a rulemaking that they’re starting to embark on. And the real questions for some of these companies who are going to be covered by multiple of these regimes and frameworks, it just creates a lot of burden on them to analyze them, de-conflict them and kind of make it all work together.

Tom Temin And just a side question here, looking at the beautiful and really open way that NIST has organized the comments for anyone to read. I mean, it’s a really a fantastic Web presentation. I mean, there’s a list of links and it’s all easy to retype, easy to find. They don’t all do that, do they, the regulatory agencies? This kind of accept comments for whatever initiative they have.

Megan Brown I mean, they do. So like TSA put out an advance notice of proposed rulemaking that you can look up those comments through federalregulations.gov I think, so you can find them. But I think that’s a fair point, Tom. They’re maybe not as elegantly presented or accessible as NIST has made some of these. Right? Some agency dockets are a little tougher to track down and find stuff buried in them.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Networkcybersecurity

    Two keys to establishing a comprehensive cybersecurity strategy

    Read more
    Amelia Brust/Federal News Network

    Everything you need to know about critical infrastructure protection, between two covers

    Read more