White House Previews List of Incentives to Support Adoption of its Cybersecurity Framework

As its latest step in a broader effort to prioritize cybersecurity, the White House released last week a list of possible incentives that may be offered to companies that own or operate critical infrastructure systems and assets to encourage adoption of a national Cybersecurity Framework, scheduled for release in February 2014. The list of possible incentives"”which the Departments of Homeland Security, Commerce, and Treasury identified in response to a February 12, 2013 Executive Order"”includes grants, liability limitation, public recognition, and cybersecurity investment rate recovery, among others. Some of the identified incentives could be created from existing federal agency authorities, while others would require legislative action from Congress. Over the next few months, agencies will seek input from critical infrastructure stakeholders in examining their preliminary lists and determining which to implement and how.

In the same February 12, 2013 Executive Order, the President directed the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce, to lead the development of a national Cybersecurity Framework to reduce cyber risks to critical infrastructure. The President called for the Framework to include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks, and directed NIST to incorporate voluntary consensus standards and industry best practices to the fullest extent possible. NIST released a draft outline of the Framework on July 1, 2013, and a full draft of the Framework is scheduled for release in October.

Exactly how the Cybersecurity Framework will interact with or complement the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards is unclear. The Cybersecurity Framework is intended to provide cross-sector security standards, while the NERC CIP standards were developed by, and for the use of, the electricity sub-sector. The Administration intends for NIST to consult its peers, as the President directed the Secretary of Homeland Security to "engage and consider the advice" of sector-specific and other relevant agencies. The Secretary must also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations, which would presumably include NERC. Whether NERC has been consulted and how their input thus far has been considered is unclear.

In its draft outline of the Cybersecurity Framework, NIST indicates that the voluntary program is intended to complement rather than to conflict with current regulatory authorities, and the draft compendium, attached to the outline, includes reference to the NERC CIP Standards. In fact, NERC submitted comments in response to NIST's February 26, 2013 Request for Information seeking input to help shape the draft Framework. However, the content of the Framework is still unknown, and until the draft is released in October, the exact relationship between the two sets of standards remains uncertain. In the meantime, as NERC stated in its comments to NIST, NERC feels strongly that a second set of potentially conflicting or redundant standards could create undue hardship on the electricity sub-sector. NERC also stated that, "while a framework of cybersecurity standards that is applicable to all sectors is possible, the framework may need flexibility to have certain common elements to be valuable or effective. Some sectors, such as the electricity sub-sector, are far more advanced in their cybersecurity efforts; other sectors may need time to meet minimum (voluntary) standards. The framework must build on existing standards and programs to develop a comprehensive approach to cybersecurity."

As national-level cybersecurity efforts have progressed this year, so have NERC's efforts to improve the CIP standards. NERC Reliability Standards are generally written as performance standards; that is, they prescribe a measurable end-state or goal, and attempt to remain technology- and method-neutral. However, utilities widely criticized earlier versions of the standards as being focused primarily on compliance documentation as opposed to security principles. With input from stakeholders, NERC significantly revised its CIP standards in Version 5, which were filed with FERC on January 31, 2013. Much of industry considers the revised CIP program to be an improved framework for critical asset cybersecurity protection, with a renewed risk-based focus on security. NERC stated that it stands ready to share its industry-driven approach with NIST as it endeavors to develop the Cybersecurity Framework.