The White House decided the best way to get critical infrastructure providers to implement the Framework for Improving Critical Infrastructure Cybersecurity is through incentives around three main areas.
Michael Daniel, the White House’s cybersecurity coordinator, wrote in a blog post Monday that to encourage adoption the government would focus on streamlining regulations, cybersecurity research and development and federal procurement policies and practice.
“We have heard from multiple industry representatives that securing their information is in the best interest of their companies and shareholders. The industry-developed framework provides a roadmap to accomplish this security effectively,” Daniel wrote. “But at the same time, government must be willing to step in to incentivize best practices when private market incentives prove insufficient to achieve an appropriate level of cybersecurity.”
When the White House released the cybersecurity framework in February 2014, it identified potential incentives to help industry adopt these standards. In August, Daniel announced the government would look at eight recommendations that came from a series of industry listening stations held over the previous six months.
From those eight, Daniel said these three hold the most promise.
Under the federal acquisition incentive category, Daniel said he wants to build on the work by the Defense Department and the General Services Administration from January 2014. In that report, GSA and DoD identified six recommendations to bring cyber risk management into the federal acquisition environment.
Daniel said the White House will institute “a federal acquisition cyber risk management strategy,” and increase government accountability for cyber risk management.
Under the streamlining regulations category, Daniel said by February 2016 the White House will identify current federal rules and policies that are burdensome, conflicting or ineffective.
“We concluded that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risk to critical systems and information,” Daniel wrote. “For example, the EPA determined that its current requirements are sufficient, and that a voluntary partnership approach will be used to manage cybersecurity risks in the Water and Wastewater Sector.”
Under the final area, cyber research and development, Daniel said the White House will publish a report this spring identifying key priorities for the next three to five years.
He said the Homeland Security Department worked with academia and the critical infrastructure community to get a better idea of what they need to better protect their assets.
Daniel said a key piece of R&D is being done by the National Strategy for Trusted Identities in Cyberspace (NSTIC) to test out multi-factor authentication technologies instead of passwords. Daniel said in June that his goal is to “kill the password dead.”
In addition to these three broad areas, Daniel said the White House also supports efforts by agencies such as FEMA or the Energy Department to incorporate the cyber framework into grants or cost recovery for price-regulated industries.
“FEMA has incorporated the Cybersecurity Framework within its Homeland Security Grant Program guidance to raise awareness of the framework within the grant recipient community and encourage the incorporation of the framework’s risk management principles within relevant grant-funded initiatives,” Daniel wrote. “DHS is also working with the federal grant community to identify other relevant grant programs that could similarly incorporate the framework into grant guidance. In order to encourage cost recovery, the Department of Energy is engaging with state and local regulators and state energy policymakers to support prudent cybersecurity policies, programs, and investments in the electric, natural gas, telecommunication, and water sectors.”
Daniel said one incentive that isn’t on the table is the use of public recognition or “seal of approval” for companies who say they meet the standards in the framework.
He said based on feedback from the critical infrastructure community such a program “would reduce the flexible use of the framework.”
“Ultimately, we believe our private-sector partners use the framework because it is based on industry best practices and results in stronger risk management-not because the government is making them do it,” Daniel wrote. “We understand that every critical infrastructure owner and operator, whether public or private, has to make resource decisions based on a variety of risks, and we want to use all of the policy levers available to the government to strengthen the case for use of the framework.”