Blogs

The big news last week centered around the release of the Cybersecurity Framework on Wednesday.  Well, the framework and a major storm that caused the greatest cancellation of flights since September 11, 2001.  As I spent the latter half of last week trying to get back to DC from the midwest, I had plenty of time to pay close attention to both.  Below you’ll find some details on the framework, NASCIO’s support, and what vital details states need to know. Let’s get to it!

Key Takeaway: What You Need to Know About the Cybersecurity Framework

1) What is it? The framework is a tool that both public and private sector entities can use to  “understand, communicate, and manage their cyber risks.”  Basically, it is a decision tool that can help key personnel decide what level of security they currently have in place and where they would like to be.  What it can’t do is tell you what level of security you should implement, or which tools to utilize.  Nonetheless, providing a common playbook should be useful for public and private entities looking to communicate their level of cyber preparedness with executives and stakeholders.

2) What Does NASCIO Think?  NASCIO was able to provide input on the framework throughout its formulation, and is supportive of the framework. NASCIO will be encouraging states to consider becoming early adopters of the framework. We look forward to working with the administration to make the framework more accessible and helpful for governments, such as building a state and local government overlay. For a more detailed overview of our thoughts, check out our press release from last week.

3) Anything else I should know?  Yes. For one, this is the first iteration of the framework.  It will likely continue to mature over time. Also, state governments should also be aware of the privacy and civil liberties section that deals with collection and retention of personally identifiable information (PII).  This could be helpful with the amount of PII collected by state governments, but it will require work with a wide array of officials in crafting this section to ensure state privacy and civil rights policies are well-crafted.  Finally, over time there will be opportunities from DHS linked to the framework, and more work and collaboration to be done around this, as we discuss below.

Other Buzz:

Opportunities for Future Collaboration - We at NASCIO see this as one step, and we hope to continue working with allies in the federal government to create a state and local government overlay that provides more guidance by including mandates, requirements, and special concerns for security common across the public sector. Also, we see an opportunity to utilize the framework to harmonize grant requirements across agencies under the Federal Information Security Management Act of 2002 (FISMA).  Finally, we want to work with DHS and others to create incentives for public sector adoption.

DHS Outreach and Assistance Program - In concert with the roll-out of the framework, DHS is unveiling the “C3 Voluntary Program,” the nascent infrastructure of what will ultimately be a vehicle for promoting use of the Framework among public and private sector organizations  (see the DHS C3 website at CERT).  DHS is beginning by aligning its assistance to the framework’s ‘Identify, Protect, Detect, Respond, Recover’ core function areas.  It is also attempting to create a single gateway to access DHS information and support for cyber resources and questions from stakeholders regarding the framework.  NASCIO members should keep their eyes peeled for additional information and opportunities for direct discussions with DHS via the NASCIO community.

Your Weekly Techbytes:

White House unveils cyber plan, implores Congress

Gearing Up for Multi-Channel Citizens with Government-as-a-Service