National Progress on Cyber Security
National Cyber Security Awareness Month is a great time to take stock of where we are as a nation in terms of advancing our cyber security agenda. While some would say nothing has happened this year in Washington, I take a different perspective. I would argue that this year has been one of the most productive in recent memory.
The Administration has been very active on cyber security. The President’s Executive Order set the stage for two important initiatives: the NIST cyber security framework and positive incentives to encourage industry to adopt cyber protections. What’s more, the Department of Homeland Security (DHS) moved forward with a landmark cyber security program for civilian federal agencies: Continuous Diagnostics and Mitigation (CDM), which also could influence private sector security efforts.
The fact that technology and standards powerhouse National Institute of Standards and Technology (NIST) managed the build-out of a model cyber security framework is a big plus. NIST is respected by both industry and government, and they’re not seen as partisan or attached to any one arm of government. Basically, NIST wass charged with developing a framework – akin to a set of best practices – that critical infrastructure providers will be encouraged to adopt. The development process was extremely collaborative, with open workshops, requests for comments and other ways of engaging a broad set of stakeholders from the private and public sectors.
McAfee was actively involved in this process through a team of experts that attended all the workshops. They’ve been impressed with the bottom-up view that NIST took: rather than starting with a pre-conceived notion of what the framework should look like, they listened to, evaluated and incorporated what they learned from the workshops and comments. The first draft of that framework was released yesterday.
One of the other major effects of the Executive Order was to put muscle behind the concept of positive incentives for industry to implement cyber security solutions – something that we at McAfee have long endorsed. In August, the White House released a list of proposed incentives developed by the Departments of Homeland Security, Commerce and Treasury. These include proposals to implement tax incentives, liability protection, insurance reforms and further R&D funding, among others.
While some of these would require legislation, it’s the kind of legislation that would likely have broad appeal, making it easier to pass and become law. What it wouldn’t do is regulate industry on cyber security practices. This is important, because while industry regulation on cyber might make the nation more compliant, it wouldn’t necessarily make us more secure. It’s the latter outcome that we want, and we think positive incentives is the way to achieve that.
Continuous Diagnostics and Mitigation
What’s now called CDM used to be known as continuous monitoring, and it’s still sometimes referred to that way. The term “continuous monitoring” goes to the heart of what CDM will provide: the ability to have continuous visibility into an agency’s or department’s cyber security position along, the ability to prioritize risks and the ability to prevent or remediate attacks. Managed by DHS, CDM will truly be transformative. It represents the first time civilian agencies are receiving a detailed roadmap of how to assess where they are in terms of cyber risk and how specifically to manage that risk.
In August, the General Services Administration (GSA) announced contract awards that will allow government departments and agencies to partner with DHS and procure – at a vastly reduced price – the technology they need to implement CDM. DHS chose 17 prime contractors for CDM, and we are thrilled that McAfee technology was central to 11 of those awards. Soon DHS and GSA will release task orders detailing what individual government organizations need for CDM. When CDM becomes a reality, government departments, agencies and the citizens they serve will be better off, as the program will significantly enhance the security and resilience of federal networks.
A Year of Real Action
I can’t think of another year when the federal government has put this much significant planning and effort into cyber security, and I hope this is just the beginning. The NIST framework will provide a roadmap to industry, CDM will provide one to civilian agencies, and positive incentives could provide the impetus industry needs and wants to become more secure. There’s more to be done, but the Administration and agencies such as DHS and NIST have moved the nation’s cyber security agenda forward in a significant way.
TechSource in your Inbox
Sign-up here to receive our latest posts by email.