Even groups that take a wait-and-see attitude remarked upon the effective manner in which the framework was produced. "While we are still reviewing the voluntary cybersecurity framework, we commend the efforts by NIST and the Administration to work collaboratively with the wireless industry on this important issue," Steve Largent, CEO of CTIA-The Wireless Association said in a statement.
NIST's open and collaborative approach has been widely credited as the reason that a potentially useful and broadly accepted framework could be produced with thousands of participants across sixteen diverse critical infrastructure industries in a tight twelve-month time span. "It's the White House being the mother to the rest of the federal government saying 'everybody get in line and make it work,'" Jack Whitsitt, Principal Analyst for EnergySec said. "It's a monumental shift in the public private partnership."
Although NIST plans to continue playing an important role in the framework, the action now shifts to the Department of Homeland Security (DHS) and sector specific government agencies to refine the framework, encourage its use, and develop incentives for critical infrastructure providers to follow it. The main venue for continued work on the framework will be the recently formed Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program housed at DHS.
And some critical infrastructure providers and technology suppliers fear that what they characterize as the less collaborative, more closed and more political environments of DHS and the sector agencies could undercut the work NIST produced through its wide open approach. "It's not necessarily the best situation," one critical infrastructure provider said. "They have not yet effectively found a way to address people who inject the upstream vulnerabilities," he said, noting that the voluntary program excludes a lot of participants by the nature of its charter.
The narrower nature of the DHS program can actually reduce cybersecurity by locking out some would-be players in the process, some say. Ensuring that industry suppliers and outsiders have a seat at the table was reinforced at the launch event yesterday. "I think any large company that isn't imposing cybersecurity standards on their supply chain has a vulnerability they don't know about," AT&T CEO Randall Stephenson said. "We have a higher dependency than we ever have had in history on vendor supplied software," Joe Rigby, CEO of electric utility Pepco said.
Others say that DHS has demonstrated flexibility in opening up its process. "So far there is every indication that the government is coordinating with the industry and other government agencies," one critical infrastructure owner representative said. "I think we're at a very good starting point and process that is designed to be industry-led, market-driven and flexible."
DHS counters the notion that any further framework development will occur in a much more closed environment. "We have learned a lot in working closely with NIST on the development of the framework," Bob Kolasky, who spearheads the C3 group at DHS, said. "As we go forward with C-cubed to support framework adoption, we will...emphasize a partnership that involves multiple levels of government, a disparate group of industry, regional stakeholders, and non-profits and academia. In doing so, we'll strive to make sure we keep the entire critical infrastructure community involved and use open and transparent methods to do so."
Sign up for Computerworld eNewsletters.