This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous posts in the series are listed below.
As expected there were a large number of comments left this week. The RFI called for a close on comments by April 29th, but it is apparent that this was not a hard close date as the comments listed on the RFI site include comments submitted on May 3rd. It will be interesting to see if additional comments are posted to the site next week.
There are now a total of 45 comments listed on the web site. They represent a broad cross section industry and public sector organizations with a heavy dose of electrical generation/transmission representation. There is only one chemical company listed (Monsanto; okay biochemical) and four organizations that represent, to some degree, chemical manufacturing interests. They are:
• Monsanto –
Incentives Not Necessary
The API reports that they do not think that incentives are really necessary. They claim that most oil and gas companies already take cybersecurity seriously because they recognize the threat to their businesses. They provide a listing of programs in which the industry is already participating. These include:
• API’s IT Security Subcommittee;
• Project LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity);
• DHS Cyber Information Sharing and Collaboration Program; and
• Oil and Natural Gas Sector Coordinating Councils Cybersecurity Working Group.
The AFPM echoes this point about self-interest noting that: “AFPM members operate multi-billion dollar facilities and are extremely motivated to protect their companies, even without government incentives.” (pg 2)
They also report that: “AFPM members are large businesses and have the benefit of employing security professionals who have knowledge of current cybersecurity risks and mitigations.” (pg 3).
Monsanto takes a slightly different look at incentives than most people would consider the term. They are looking more at programmatic features, including:
• Protection of sensitive information;
• Sharing of technical threat indicators and periodic briefings;
• Increased sponsorship of security clearances; and
• Clear scope and definition of “critical infrastructure”.
The AGA comments echo the comments about information sharing, noting that of the potential incentives mentioned in the RFI, the one that seems to be missing is “is liability protection for information sharing” (pg 1). They also note that: “The potential for releasing information through the Freedom of Information Act (FOI) is one of our major concerns.” (pg 2).
The Chamber of Commerce is concerned about the flexibility and responsiveness of any federal cybersecurity program, reporting that “any cybersecurity regime that industry believes would favor compliance and bureaucracy over creativity, speed, and innovation would almost certainly create a powerful disincentive (sic) to participation by critical infrastructure owners and operators” (pg 2).
The Chamber makes it clear in their comment that they feel that cybersecurity legislation is required for an effective program. They emphasize that such legislation should address information sharing liability protections, establishing general liability protections for program participants, and extending the liability protections of the SAFETY Act.
With the official comment period now closed, the Department of Commerce will now begin working on their report to the President on potential incentives that may be used to encourage voluntary participation in the Cybersecurity Framework currently under development. It really is a shame that the President’s EO set these two development programs working simultaneously. The incentives development program would probably be more effective if the actual Framework were already in existence so that particular incentives could be proposed for particular parts of the Framework.