Last week I wrote about the notice published by DHS National Protection and Programs Directorate (NPPD) concerning the notifications made to organizations and facilities that have been designated Cyber Dependent Critical Infrastructure (CDCI). In that post I mentioned in passing that the request for reconsideration process outlined in that notice could be used by facilities that wished to be so designated. Today I want to look at why a facility might want to make such a request.
The CDCI program is part of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636) and is identified in §9 of that document. Actually, §9 only outlines the procedures for designating facilities as CDCI. The Notice published last week provides a brief listing of the positive impacts associated with the CDCI designation:
● Ability to request expedited processing through the DHS Private Sector Clearance Program, which may provide access to classified government cybersecurity threat information as appropriate;
● May be prioritized for routine and incident-driven cyber technical assistance activities offered by DHS and other agencies; and
● May receive priority in gaining access to Federal resources and programs to enhance the security and resilience of critical infrastructure against cybersecurity threats.
It is interesting to note that the Notice never uses the word ‘shall’ in the paragraph describing the positive impacts of the CDCI designation. The closest that it comes is in the final sentence:
“As Federal government resources and programs develop and improve to enhance the security and resilience of critical infrastructure against cybersecurity threats, cyber-dependent critical infrastructure will be a continued priority.”
There is nothing in the recent Notice or in §9 of the Executive Order that indicates that there are any specific requirements levied on a facility as a result of being designated as CDCI. The closest the Notice comes is a brief statement that the CDCI designees will be “encouraged to participate in the National Institute of Standards and Technology (NIST) cybersecurity framework for critical infrastructure”.
While the Administration has been very careful to talk about the voluntary nature of the cybersecurity framework (CSF) that was developed by NIST, the President made clear in the Executive Order that that there was the distinct possibility that certain organizations might be required to adopt the CSF. Specifically mentioned (but certainly not limited to) in §10(a) of the EO are the critical infrastructure identified under §9 of the order (the CDCI).
Agencies are required to determine which CDCI they currently have adequate regulatory authority to “establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure”. Where that authority does not currently exist, the EO directs the agencies to identify “any additional authority required”. The clear implication is that the implementation of the CSF will be required for identified critical infrastructure facilities.
Agencies have until May 16th, 2014, to make a determination if they currently have authority to mandate CSF implementation or make recommendations as to what additional authorities are necessary to require implementation. At this point there is no telling how long it might take to implement CSF requirements if the authority currently exists; it will depend on if a new rulemaking is required or just the publication of a notice. New authority will typically require Congressional action, which could take anywhere from years to decades to acquire.
There is also nothing that says that only CDCI will be required to implement the CSF. It will probably be easier for most regulatory agencies to require all existing critical infrastructure installations to implement the CSF than just a subset of the currently identified CI that has been selected by another agency of DHS. Either that, or agencies are going to have to come up with a separate designation process with criteria that are unique to their sector. That will just add an additional layer of complexity to the process; slowing it down even more.
Cost Benefit Analysis
Critical infrastructure facilities that have not been designated as CDCI have a choice to accept that lack of designation or request reconsideration of that decision. Such facilities will have to weigh the potential benefits vs the potential costs of the CDCI status to determine if they want to go through the reconsideration process.
Right now it looks as if the only ‘costs’ associated with the designation will be the potential requirement at some future time of implementing the CSF. For facilities that are already implementing or planning on implementing the CSF would not really a cost associated with the decision to request a positive reconsideration. Other facilities will certainly view a CSF mandate as a cost if and when the administrative processes for requiring the implementation are completed.
The other question that has to be taken into account in this cost benefit analysis is when the cost may be incurred. Since there is only a future possibility (a fairly high probability in my estimate) of a CSF implementation requirement, organizations might significantly discount that potential cost. This is particularly true because the EO calls for an annual review of the designation of CDCI; a future designation may come at a time when the potential cost is fully realized with CSF implementation regulations already in place.
Staying off the Bureaucratic Radar
There is one other downside cost that some organizations may perceive arising from the submission of a request for reconsideration; that of placing themselves on the DHS radar. Organizations, particularly smaller organizations, that may not otherwise attract the notice of potential future regulators at DHS may want to avoid attracting the attention of Federal agencies. This is particularly true in this era of the intended increase of information sharing within the Federal bureaucracy.
On the other hand, small organizations are unlikely to have extensive in-house cybersecurity resources. Leveraging some of the assistance that may be provided by the CDCI program may give installations a significant boost in the cybersecurity realm. This may provide a competitive advantage in the market place, or at least reduce the advantage enjoyed by larger competitors with more developed internal cybersecurity capabilities.
With the May 15th deadline for requesting reconsideration fast approaching, organizations are going to have to make a quick decision. Having said that; this is an annual process with a fairly high certainty that the selection criteria will almost certainly change somewhat in the next go around. Failure to file a request for reconsideration by the deadline does not mean that an organization will be kept out of the program (or be forced to remain in the program) in perpetuity.
What is not clear from last week’s Notice, however, is when the next round of designations will be made. The current list of CDCI facilities was initially provided to the President in July of last year, but it is not clear when the facilities were actually designated as CDCI. I would assume that the program was officially stood up in the last couple of months and that we should expect to see the next annual notice of the reconsideration period about this time next year.
In any case, if an organization wishes to avail themselves of the potential benefits of the CDCI program, it probably makes sense to take advantage of the current reconsideration process by submitting their request before the May 15th deadline.