Last
week I wrote about the notice published by DHS National Protection and Programs
Directorate (NPPD) concerning the notifications made to organizations and
facilities that have been designated Cyber Dependent Critical Infrastructure
(CDCI). In that post I mentioned in passing that the request for
reconsideration process outlined in that notice could be used by facilities
that wished to be so
designated. Today I want to look at why a facility might want to make such
a request.
Program
Benefits
The CDCI program is part of the President’s
executive order on Improving Critical Infrastructure Cybersecurity (EO
13636) and is identified in §9 of
that document. Actually, §9 only outlines the procedures for designating
facilities as CDCI. The Notice published last week provides a brief listing of
the positive impacts associated with the CDCI designation:
● Ability to request
expedited processing through the DHS Private Sector Clearance Program, which
may provide access to classified government cybersecurity threat information as
appropriate;
● May be prioritized
for routine and incident-driven cyber technical assistance activities offered
by DHS and other agencies; and
● May receive priority
in gaining access to Federal resources and programs to enhance the security and
resilience of critical infrastructure against cybersecurity threats.
It is interesting to note that the Notice never uses
the word ‘shall’ in the paragraph describing the positive impacts of the CDCI
designation. The closest that it comes is in the final sentence:
“As Federal government
resources and programs develop and improve to enhance the security and
resilience of critical infrastructure against cybersecurity threats,
cyber-dependent critical infrastructure will be a continued priority.”
There is nothing in the recent Notice or in §9 of
the Executive Order that indicates that there are any specific requirements levied
on a facility as a result of being designated as CDCI. The closest the Notice
comes is a brief statement that the CDCI designees will be “encouraged to
participate in the National Institute of Standards and Technology (NIST)
cybersecurity framework for critical infrastructure”.
CSF
Mandate
While the Administration has been very careful to
talk about the voluntary nature of the cybersecurity framework (CSF) that was
developed by NIST, the President made clear in the Executive Order that that
there was the distinct possibility that certain organizations might be required
to adopt the CSF. Specifically mentioned (but certainly not limited to) in §10(a) of the EO
are the critical infrastructure identified under §9 of the order (the CDCI).
Agencies are required to determine which CDCI they
currently have adequate regulatory authority to “establish requirements based
upon the Cybersecurity Framework to sufficiently address current and projected
cyber risks to critical infrastructure”. Where that authority does not
currently exist, the EO directs the agencies to identify “any additional
authority required”. The clear implication is that the implementation of the
CSF will be required for identified critical infrastructure facilities.
Agencies have until May 16th, 2014, to
make a determination if they currently have authority to mandate CSF
implementation or make recommendations as to what additional authorities are
necessary to require implementation. At this point there is no telling how long
it might take to implement CSF requirements if the authority currently exists;
it will depend on if a new rulemaking is required or just the publication of a
notice. New authority will typically require Congressional action, which could
take anywhere from years to decades to acquire.
There is also nothing that says that only CDCI will
be required to implement the CSF. It will probably be easier for most
regulatory agencies to require all existing critical infrastructure installations
to implement the CSF than just a subset of the currently identified CI that has
been selected by another agency of DHS. Either that, or agencies are going to
have to come up with a separate designation process with criteria that are
unique to their sector. That will just add an additional layer of complexity to
the process; slowing it down even more.
Cost
Benefit Analysis
Critical infrastructure facilities that have not
been designated as CDCI have a choice to accept that lack of designation or
request reconsideration of that decision. Such facilities will have to weigh
the potential benefits vs the potential costs of the CDCI status to determine
if they want to go through the reconsideration process.
Right now it looks as if the only ‘costs’ associated
with the designation will be the potential requirement at some future time of
implementing the CSF. For facilities that are already implementing or planning
on implementing the CSF would not really a cost associated with the decision to
request a positive reconsideration. Other facilities will certainly view a CSF
mandate as a cost if and when the administrative processes for requiring the implementation
are completed.
The other question that has to be taken into account
in this cost benefit analysis is when the cost may be incurred. Since there is
only a future possibility (a fairly high probability in my estimate) of a CSF
implementation requirement, organizations might significantly discount that
potential cost. This is particularly true because the EO calls for an annual
review of the designation of CDCI; a future designation may come at a time when
the potential cost is fully realized with CSF implementation regulations
already in place.
Staying
off the Bureaucratic Radar
There is one other downside cost that some
organizations may perceive arising from the submission of a request for
reconsideration; that of placing themselves on the DHS radar. Organizations, particularly smaller
organizations, that may not otherwise attract the notice of potential future
regulators at DHS may want to avoid attracting the attention of Federal
agencies. This is particularly true in this era of the intended increase of
information sharing within the Federal bureaucracy.
On the other hand, small organizations are unlikely
to have extensive in-house cybersecurity resources. Leveraging some of the
assistance that may be provided by the CDCI program may give installations a
significant boost in the cybersecurity realm. This may provide a competitive
advantage in the market place, or at least reduce the advantage enjoyed by
larger competitors with more developed internal cybersecurity capabilities.
Quick
Decision
With the May 15th deadline for requesting
reconsideration fast approaching, organizations are going to have to make a quick
decision. Having said that; this is an annual process with a fairly high
certainty that the selection criteria will almost certainly change somewhat in
the next go around. Failure to file a request for reconsideration by the
deadline does not mean that an organization will be kept out of the program (or
be forced to remain in the program) in perpetuity.
What is not clear from last week’s Notice, however,
is when the next round of designations will be made. The current list of CDCI facilities
was initially provided to the President in July of last year, but it is not
clear when the facilities were actually designated as CDCI. I would assume that
the program was officially stood up in the last couple of months and that we
should expect to see the next annual notice of the reconsideration period about
this time next year.
In any case, if an organization wishes to avail
themselves of the potential benefits of the CDCI program, it probably makes
sense to take advantage of the current reconsideration process by submitting
their request before the May 15th deadline.
Posts
No comments:
Post a Comment