The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
NIST Kicks Off Cybersecurity Framework Development
The Executive Order requires NIST to engage in an "open public review and comment process" to develop the Framework. To that end, NIST has set up a series of workshops and requests for written comments to inform the Framework's development. And NIST has established a website to host all materials related to its development of the Cybersecurity Framework. On April 3, NIST hosted the first such workshop to kick off the discussion. Reflecting the significance of the Framework's development, the auditorium hosting the workshop was packed, with numerous additional attendees participating via webcast.
The opening workshop was an all-day event consisting of brief remarks and panel discussions. Among the presenters were NIST and DHS representatives, several senior officials from a broad cross-section of industries, and representatives from five different sector-specific Information Sharing & Analysis Centers (ISACs). Commerce Deputy Secretary Rebecca Blank's opening remarks noted that the workshop is the first in a series of workshops and requests for comments, all aimed at providing NIST with as much outside input as possible to shape the Framework's development. Deputy Secretary Blank told attendees, "I can't emphasize this enough: the success of this effort is largely dependent on industry involvement."
A few key themes emerged from the workshop's participants:
- Numerous presenters stressed that NIST should not "reinvent the wheel" and should liberally draw on existing multistakeholder efforts to address cybersecurity concerns. In response, NIST representatives noted their intent to draw on existing best practices and standards as much as possible.
- Many of the industry representatives expressed their view that, for information sharing to be effective, Congress needed to legislate to address the antitrust, privacy, and liability protection concerns.
- Many presenters also highlighted the importance of the Framework supporting enterprise risk management rather than emphasizing check-the-box compliance.
At this opening workshop, NIST announced that it will hold three additional workshops before October's release of the preliminary Framework. The upcoming workshops, which NIST promised would be more interactive, will cover the following topics:
- Managing Risk
- Cyber Hygiene
- Tools and Metrics
There are already two different requests for comments relating to the Cybersecurity Framework. NIST's first Request for Information includes thirty-three specific questions, as well as open-ended inquiries, concerning current risk management practices; use of frameworks, standards, guidelines, and best practices; and specific industry practices. Written comments, which will be publicly available, are due by 5 p.m. Eastern time on April 8. And the Department of Commerce has published a Notice of Inquiry seeking input on ways to promote adoption of the Framework, including incentives that would require changes in law. Written comments are due by April 29.
Paul Otto, an associate in our Washington office, contributed to this entry.
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted...29 March 2016