DHS ITF IdeaScale Cybersecurity Project – ITF Goals

This is another in a series of the blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier posts in this series were:

DHS ITF Establishes Collaboration Community

DHS ITF IdeaScale Cybersecurity Project – PLC Insecurity

DHS ITF IdeaScale Cybersecurity Project – Security Reputation

DHS ITF IdeaScale Cybersecurity Project – Vulnerability Information

DHS ITF IdeaScale Cybersecurity Project – System Registration

DHS ITF IdeaScale Cybersecurity Project – Software Registration

DHS ITF IdeaScale Cybersecurity Project – Remote Infrastructure

DHS ITF IdeaScale Cybersecurity Project – Information Sharing Program

DHS ITF IdeaScale Cybersecurity Project – Risk Benefit Analysis

DHS ITF IdeaScale Cybersecurity Project – CI Registration

DHS ITF IdeaScale Cybersecurity Project – Performance Goals

DHS ITF IdeaScale Cybersecurity Project – Two New Ideas

DHS ITF IdeaScale Cybersecurity Project – Lack of Support

Just days after I essentially wrote off this IdeaScale Project another ‘idea’ was posted to site for public comment. This time it was from Jonathan Tabb, who is apparently associated with the DHS Integrated Task Force. Jonathan’s post addresses the recently adopted National Performance Goals supporting the Preliminary Cybersecurity Framework.

I am going to stretch the Free Use Doctrine here a bit with the amount of data I am going to quote from Jonathan’s idea, but it appears that this was lifted intact from an as of yet unpublished DHS ITF document, so I should be okay with the Copyright infringement folks. Here are the National Performance Goals as listed by Jonathan:

1. Critical systems and functions are identified and prioritized and cyber risk is understood as part of a risk management plan.

2. Risk-informed actions are taken to protect critical systems and functions.

3. Adverse cyber activities are detected and situational awareness of threats is maintained.

4. Resources are coordinated and applied to triage and respond to cyber events and incidents in order to minimize impacts to critical systems and functions.

5. Following a cyber incident, impacted critical systems and functions are reconstituted based on prior planning and informed by situational awareness.

6. Security and resilience are continually improved based on lessons learned consistent with risk management planning.

As I commented on the IdeaScale site last night (my comments have not yet been moderated and made public as of 05:30 CST) these goals are even more broadly crafted than the PCF. In fact, they are so broadly crafted that it would be hard to object to anything specific in the goals. Readers that venture a look at the IdeaScale site will note that I did vote ‘Disagreed’ with these goals; that was vote was based upon my disagreement with their being overly broad and without measurable standards.

In the past, I have urged my readers to look at the ideas posted to the IdeaScale site and encouraged them to vote and comment on the ideas. I can no longer in good do that with any enthusiasm for the reasons I outlined in my last post on this topic. Still, if you had hoped that the Cybersecurity Framework, and by extension the National Performance Goals that support the implementation of that framework, would have a measurable effect on the cybersecurity status of the critical infrastructure associated control systems in this county, please join me in disagreeing with this particular idea.