Thanks to a
note from Bob Radvanovksy over on SCADASEC-L mailing list, I
found a copy of the memorandum of
understanding (MOU) between NIST and DHS NPPD about the cooperation between
the two organizations in the development and implementation of the
Cybersecurity Framework. It was signed the responsible Under Secretaries from
DHS and Commerce the day the President publicly released his executive order.
The details of who provides assistance to whom are pretty straightforward,
even couched in bureaucratese. Both will provide a person to work in the other’s
office to act as a coordinator. There will be all sorts of consulting and
coordinating going on. If you’re interested in how these two agencies are going
to be working together to get the EO in actual operation, this is worth the
read.
Handoff of Develop to
Implement
One of the things that is hopeful here is that there seems
to be a clear understanding that there is a difference between developing the
Framework and implementing it. I was more than a little concerned that two
different organizations from different bureaucratic cultures would be handling
the two side of this program; particularly since the first common point in
their respective chains-of-command is the President.
NIST promises to provide “technical expertise ot NPPD
regarding the application of NIST-developed standards, guidelines, and
frameworks; detection and handling of information security incidents,
development of cybersecurity vulnerability assessments; and security automation”
(pg 2).
NPPD’s side of the hand off is covered in two separate will
consults;
• [O]n the production of bulletins
or memoranda pertaining to implementation of standards, guidelines, frameworks
or other applicable cybersecurity policies”; and
• [O]n the development of metrics
that will be used by Departments and Agencies to measure the effectiveness of
cybersecurity programs or identify optimal security solutions”.
One Small Red Flag
There is potential for problems in one of the areas where
NPPD outlines its support responsibilities for the development of the
Framework. At the bottom of page 2 NPPD promises to:
“Provide relevant information,
including analyses, priorities, sector specific plans, vulnerability
assessments, and reports on operational aspects of Federal agency
cybersecurity, consistent with NPPD information sharing policies [emphasis
added], to assist NIST in the development of information security standards,
guidelines, and frameworks.”
I know that politicians are constitutionally incapable of
committing to anything without caveats and exemptions and this MOU is no
exception. But, having said that, the development of the Framework is such an
important part of this program that the holding back of information because of
intra-governmental information sharing policies could kill the effectiveness of
the EO.
Timing Coincidence
One last thing; I do find it very interesting that the MOU
between the main players in the President’s new cybersecurity executive order
signed this document on the day the President publicly released the EO. Since
the drafts that have been circulating since November were almost identical to
the finished product, one wonders why the delay in publishing this signature
document.
I suspect that it was to allow time for these two agencies
to work out their differences and find a way to work together to get the
project going in the right direction. If that is the case, this took quite a
while for a relatively uncomplicated document. How much time is it going to
take to iron out their differences on something like the Framework?
Moving Forward
I’m starting to feel a little better about the ability of
NIST to get their preliminary Framework, published, though I am far from
confident. The little red flag here still show that they have a number of
bureaucratic hurdles to overcome while they are working on a technologically
complex task. Few organizations are well suited to handle both.
BTW: The new Cybersecurity Executive Order is never
mentioned in this MOU.
Posts
No comments:
Post a Comment