Thanks to a note from Bob Radvanovksy over on SCADASEC-L mailing list, I found a copy of the memorandum of understanding (MOU) between NIST and DHS NPPD about the cooperation between the two organizations in the development and implementation of the Cybersecurity Framework. It was signed the responsible Under Secretaries from DHS and Commerce the day the President publicly released his executive order.
The details of who provides assistance to whom are pretty straightforward, even couched in bureaucratese. Both will provide a person to work in the other’s office to act as a coordinator. There will be all sorts of consulting and coordinating going on. If you’re interested in how these two agencies are going to be working together to get the EO in actual operation, this is worth the read.
Handoff of Develop to Implement
One of the things that is hopeful here is that there seems to be a clear understanding that there is a difference between developing the Framework and implementing it. I was more than a little concerned that two different organizations from different bureaucratic cultures would be handling the two side of this program; particularly since the first common point in their respective chains-of-command is the President.
NIST promises to provide “technical expertise ot NPPD regarding the application of NIST-developed standards, guidelines, and frameworks; detection and handling of information security incidents, development of cybersecurity vulnerability assessments; and security automation” (pg 2).
NPPD’s side of the hand off is covered in two separate will consults;
• [O]n the production of bulletins or memoranda pertaining to implementation of standards, guidelines, frameworks or other applicable cybersecurity policies”; and
• [O]n the development of metrics that will be used by Departments and Agencies to measure the effectiveness of cybersecurity programs or identify optimal security solutions”.
One Small Red Flag
There is potential for problems in one of the areas where NPPD outlines its support responsibilities for the development of the Framework. At the bottom of page 2 NPPD promises to:
“Provide relevant information, including analyses, priorities, sector specific plans, vulnerability assessments, and reports on operational aspects of Federal agency cybersecurity, consistent with NPPD information sharing policies [emphasis added], to assist NIST in the development of information security standards, guidelines, and frameworks.”
I know that politicians are constitutionally incapable of committing to anything without caveats and exemptions and this MOU is no exception. But, having said that, the development of the Framework is such an important part of this program that the holding back of information because of intra-governmental information sharing policies could kill the effectiveness of the EO.
One last thing; I do find it very interesting that the MOU between the main players in the President’s new cybersecurity executive order signed this document on the day the President publicly released the EO. Since the drafts that have been circulating since November were almost identical to the finished product, one wonders why the delay in publishing this signature document.
I suspect that it was to allow time for these two agencies to work out their differences and find a way to work together to get the project going in the right direction. If that is the case, this took quite a while for a relatively uncomplicated document. How much time is it going to take to iron out their differences on something like the Framework?
I’m starting to feel a little better about the ability of NIST to get their preliminary Framework, published, though I am far from confident. The little red flag here still show that they have a number of bureaucratic hurdles to overcome while they are working on a technologically complex task. Few organizations are well suited to handle both.
BTW: The new Cybersecurity Executive Order is never mentioned in this MOU.