This is part of an ongoing in-depth review of the provisions
of S 3414, the Cybersecurity Act of 2012, that will be of interest to the
control systems community. The first post in the series was:
In today’s posting I will look at §103 and the requirements
for establishing voluntary cybersecurity practices. These practices will be
those that critical cyber infrastructure facilities will be judged against.
Private Sector Development
The bill gives the private sector the first shot of
developing ‘cybersecurity practices’ through each sector coordinating council.
The term ‘cybersecurity practices’ is vaguely defined as “voluntary outcome
based cybersecurity practices … sufficient to effectively remediate or mitigate
cyber risks identified through an assessment conducted under section 102(a)”
{§103(a)}.
These practices will be based upon “industry best practices,
standards, and guidelines” {§103(a)(1)}. Where such practices don’t already
exist, the sector coordinating councils will develop the practices in
coordination with appropriate entities within the sector. The bill gives them
180 days to complete this development.
Council Review
Section 103(b) requires the National Cybersecurity Council,
as always in consultation with CIPAC and ISAOs to:
• Consult with relevant security
experts;
• Review relevant regulations or
compulsory standards or guidelines;
• Review cybersecurity practices
proposed by the sector coordinating councils; and
• Consider any amendments to the
cybersecurity practices and any additional cybersecurity practices necessary to
ensure adequate remediation or mitigation of the cyber risks identified through
an assessment conducted under section 102(a).
Then, within one year of the passage of this bill, the
Council is required to adopt the proposed cybersecurity practices
{§103(a)(2)(A)(i)} and amend or add to those practices as deemed appropriate by
the Council {§103(a)(2)(A)(ii)}. If no cybersecurity practices are submitted by
the sector coordinating councils, the Council is required to develop those
practices on its own. Presumably this will be done in consultation with CIPAC
and ISAOs, but that is not required {§103(a)(2)(B)}.
In developing these cybersecurity practices the Council is
required {§103(d)} to prioritize the development based upon the risk assessment
discussed in yesterday’s blog post. This risk assessment will not be available
to the sector coordinating councils as it will be developed concurrently with
their development of cybersecurity practices. Besides there are no provisions
in the bill that would require the sharing of this risk assessment with the
sector coordinating councils.
These cybersecurity practices are to be living requirements
to be reviewed and adjusted by the sector coordinating councils and the Council
no less frequently than every three years.
Technology Neutrality
The crafters of this bill clearly wanted to ensure that no
one company or industry unduly benefited from the provisions of this bill as
they mandated that the cybersecurity practices be technology neutral. This
means that a cybersecurity practice could not require {§103(f)}:
• The use of a specific commercial
information technology product; or
• That a particular commercial
information technology product be designed, developed, or manufactured in a
particular manner.
Existing Regulations
The bill would allow existing regulatory agencies to adopt
cybersecurity practices as mandatory {§103(g)(1)(A)}. In fact it actively
encourages agencies to do so by requiring them to report to Congress why they
have not done so within one year of the enactment of this bill {§103(g)(1)(B)}.
Given that the Council has up to one year to adopt/establish the cybersecurity
practices and any adoption of those practices as mandatory would have to go
through the publish and comment process, there will be a lot of reporting to
Congress.
The crafters of this bill were careful to note that this
bill does not give any agency any additional authority to regulate
cybersecurity {§103(g)(1)(C)}. This means, for example, that the current
prohibition under CFATS for DHS mandating any security procedure still applies
to these cybersecurity practices.
The bill also specifically does not step on the toes of
existing regulatory regimes. The adopted cybersecurity practices may not
prohibit an entity from complying with an existing law or regulation
{§103(g)(2)}.
Independent Review
The bill requires {§103(h)} that a public review of each
cybersecurity practice will be accomplished by CIPAC and the sector
coordinating councils. CIPAC meetings are already public (in most instances)
and a notice is required to be published in the Federal Register about all such
meetings, public or not. Sector coordinating councils are not so closely
regulated and it is not clear how the drafters expect to require their review
to be public.
Voluntary Technical Assistance
Finally, this section requires {§103(i)} the Council, when
requested by an owner/operator, to “provide guidance on the application of
cybersecurity practices to the critical infrastructure”. Given that the Council
is not provided a staff or funding it is not clear how this guidance will be
provided. I would guess that the crafters intended it to come from the existing
regulatory agencies that are already understaffed and underexpertised (new
word) on cybersecurity matters.
Posts
No comments:
Post a Comment