National Risk Management Center huddles with industry on critical cyber functions

Mark Kneidinger, NRMC

More than 90 days from the launch of the National Risk Management Center, the team behind the center is staffing up and looking for a headquarters space.

Mark Kneidinger, the NRMC deputy director, said Thursday that the staff of DHS’ Office of Cyber and Infrastructure Analysis (OCIA) will serve as the “underlying foundation” of NRMC, along with another 40 DHS cyber personnel employees on detail.

The center, he added, will continue to make other hires, once it understands where there are “expertise gaps” in its workforce.

“We’re going to be doing that expansion once we have a better idea of where the focus needs to be, in regards to where we need those skills and then bringing those people together,” Kneidinger said at a meeting of the Information Security and Privacy Advisory Board (ISPAB) in Washington.

In addition, Kneidinger said the NRMC is “aggressively pursuing” a space to call their own, and expects to have that finalized sometime in January.

“At this point, we’re in a large SCIF area, and that’s not going to work,” he said, referring to a sensitive compartmental information facility.

“We need to have an organization in place so that industry and government can work together, and that is a priority for us to get that structure in place, because it’s a keystone to the overall organization,” he later told reporters.

Also Thursday, the NRMC’s “tri-sector” industry partners in the finance, telecommunications and energy sectors met with DHS officials to review their national critical functions.

“The primary focus of that workshop is to hear from them as to how they have identified their national critical functions, because we’re looking to the sectors to identify this. And then we want to validate with them why they’ve made their selections,” Kneidinger said.

The NRMC team is also waiting for Congress to finalize a name change for the National Protection and Programs Directorate (NPPD). The Senate approved a bill Oct. 4 that would change its name to the Cybersecurity and Infrastructure Security Agency (CISA).

The bill was sent back to the House to approve changes made in the Senate version.

“What CISA allows is it gives us the capability to be a component agency, so that gives you more control in regards to back-office capabilities and things of that nature,” like human resources and finance, Kneidinger told reporters.

Beyond the name change, CISA would elevate DHS’ cyber mission and move non-cyber offices, like the Federal Protective Service, elsewhere in the department.

NRMC plans to give a status update on several “sprints” it’s been working since its inception at a Nov. 16 cybersecurity conference at the U.S. Chamber of Commerce, Kneidinger said. So far, those include its collaboration with the tri-sector, and those industries identifying their national critical functions.

Kneidinger identified a pipeline sprint conjunction that includes the Transportation Security Administration and National Cybersecurity and Communications Integration Center (NCCIC) as partners.

Supply chain task force executives slated to meet

The center also houses DHS’ information and communications technology (ICT) Supply Chain Risk Management Task Force.

The executive committee of the supply chain task force will hold its first meeting mid-November, with a full task force meeting to follow at a later date.

Advertisement
Emile Monette, the co-chair of the task force, told reporters the organization will consist of 60 members — 20 members from government, the IT sector and the communications sector. About half those members will serve on the executive committee.

“There’s a lot of interest, and people want the cachet on being on the executive committee. I think that’s reasonable,” Monette said.

With a group of that size, Monette acknowledged a “tension between being inclusive and manageable,” as expressed by ISPAB Chair Chris Boyer during Thursday’s meeting.

“I’m not sure where we are on that spectrum, but I think we’ll be to manage with the numbers that we have,” Monette said, adding the members will be expected to pull their weight during the meetings.

“Table stakes for being a member is you’re going to do work,” he said. “It’s not come here and just go to meetings, it’s come here, go to meetings, do work in the interim and come back.”

Responding to a ‘sophistication of intrusion’

One of the goals of the NRMC, Kneidinger said, is to “de-fragment” the way the government and private sector work to respond to security threats.

“What we’ve found is that when you take a look, from a functional perspective, and where there are inter-dependencies … you start realizing that not only are there gaps from the assessment perspective, but you need to understand the rippling effect that actually cuts across both private and public sectors,” he said.

The second reason for creating the center, Kneidinger explained, is to meet the growing “sophistication of intrusion” that nation-state actors are putting behind their cyber attacks.

“They’re looking at how they can most impact our national capabilities — economy, agriculture, so on and so forth,” he said. “Industry came to us and said we need a counterbalance to that. We need to understand not only what we’re doing as a sector, but also what is government doing.”

The NRMC will review national critical function with the remaining 13 sectors “over the next month or so,” Kneidinger said.

“We then need to dissect where are all the interwoven sector activities and dependencies that are built into that,” he said. “What are the associated risks of that?”