top of page
  • Writer's picturegraycyber

Have You Heard About the Cybersecurity Framework?

Have You Heard About the Cybersecurity Framework?

By [,_Ph.D./751220]William G. Perry, Ph.D.

The Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Department of Commerce (DOC) have been tasked by the President of the United States to develop a cross-sector cybersecurity framework.

On Wednesday, April 3rd, 2013, the Special Assistant to the President for Cyber Security opened a panel discussion in Washington, D.C. related to Presidential Executive Order 13636. The purpose of the panel was to describe the process to be followed in developing a national standard.

Congress had previously voted down a bill that contained the essence of what the Executive Order requires.

Responsible federal authorities explained their general approach to the participants in the meeting. The end goal of the process is to produce a cybersecurity framework that will be applicable across the nation's critical national infrastructure (as defined by Presidential Decision Directive 63). The goal of the framework is to protect cyber based assets that are vital to the economic and national security of the United States in what was described as the "new normal" for business, industry and the public sector.

Eighty-five percent of the critical national infrastructure is owned by the private sector. The potential implications for business and industry are far-reaching. A number of perspectives that are shared below should be of interest.

1. Cybersecurity is now considered critical by the Executive Branch of the federal government.

2. The threat environment faced by our critical national infrastructure is asymmetric and increasing in complexity and severity.

3. The cybersecurity framework shall focus on identifying threats to the critical national infrastructure at all levels.

4. The cybersecurity framework being developed is described as being collaborative and risk-based.

5. The cybersecurity framework shall emphasize an understanding of risk based management.

6. Situational awareness must be enhanced through cross-sector Information Sharing Analysis Centers.

7. International information security standards will be acknowledged and compatible.

8. Privacy and civil rights issues must be considered.

9. Each entity (private or public) must identify risks and address them.

10. Vigorous employee awareness must be a component of the cybersecurity framework that is enacted.

11. The cybersecurity framework must have a clear and concise legal framework.

12. There must be an awareness of the function of control systems and why they must be secured.

13. The resulting cybersecurity framework must be measurable, repeatable and valid.

14. The success of the new cybersecurity framework depends upon what panel members described as "voluntary compliance."

Major industry leaders are on-board with the development of the new security framework. Among the panel members were senior officials from Visa, Microsoft, Merk, Northrup Grumman, IBM, SANs, ANSI and other heavy weights.

The development of the computer security standards should be monitored by all interested parties. Whatever the final cybersecurity framework product turns out to be, there are likely to be genuine concerns.

The federal government is going to issue decrees as to how private sector data is processed and secured through "voluntary compliance". What is meant by "voluntary compliance"? How is this going to work? One regime might be auditing an organization to determine if a vendor or provider is in compliance with the framework. If the organization has yet to comply, it might be banned from being a supplier to the federal government. The possibilities are endless.

We live in a time when there is good reason to be concerned over how government agencies regulate and use our meta data. The emerging cybersecurity framework does little to ease such worries.

Dr. William G. Perry is the founder of Paladin Information Assurance ( and its chief information security analyst. Paladin's mission is to help organizations discover information security risks and to deploy mitigations. Its core belief is that the protection of digital processing infrastructure is a matter of national security and must be treated as a key business process.

Dr. Perry also publishes the informative Computer Security Glossary (

Article Source: [] Have You Heard About the Cybersecurity Framework?

66 views0 comments

Recent Posts

See All


Post: Blog2_Post
bottom of page