Jump to content


  • Content Count

  • Joined

  • Last visited

About Norman

  • Rank

Profile Information

  • Company Name
    Referentia Systems
  • Sector
    healthcare, public, professional, IT
  • Country
  1. Norman

    Why The Cybersecurity Framework was Created

    My understanding from Administration's comments at the time of the release of the Cyber Executive Order (Cyber EO) was that the reason for the Cyber EO and the consequent development of the Framework was because of Congress' inability to pass any cybersecurity legislation for critical infrastructure: Specifically, the Obama Administration backed the failed Senate legislation, Cybersecurity Act of 2012 (S.3414), on Aug 2, 2012, in an attempt to improve the cyber security across the 16 identified critical infrastructures. The goal of the Senate S.3414 was to consolidate the oversight and regulation of the private sector cyberspace of critical infrastructure within the Dept of Homeland Security (DHS) as recommended in the Cyber Policy Review in 2009, but the legislation was rejected because opponents said it would lead to undue government regulations of the private sector. Since then, there is little expectation that new cybersecurity legislation would be passed (although there has been some recent progress). Hence, the Cyber EO implements parts of the S.3414 legislation that can be done within the Administration, but is limited because only legislation can change or create new regulatory authority. And, because some cyber infrastructures are not currently regulated, the Cyber EO approach will be voluntary for non-regulated critical infrastructures. Therefore, the Cyber EO differs from S.3414 primarily by seeking a multi-agency regulatory solution - coordinating all agencies with regulatory control over critical infrastructures, rather than a centralized regulatory solution. The reason this origin of the Framework is important is because the EO required the affected regulatory agencies to report by 8 Jan 2014 on whether or not they have authority to use the Framework and how it can be used. The contents of these agency reports have not been released, but the Administration comments are that there is consensus that the Framework can be aligned with existing regulatory authority and activities. Because of the broad deployment by the affected regulatory agencies, the Framework is likely to become a new cybersecurity standard for regulated critical infrastructures. Because of the features listed above, it promises to even become a standard for non-regulated industries as well. One comment on the voluntary nature of the Framework: From mid-2013, the Administration has stated that the use of Framework will be voluntary, but many think the affected regulatory agencies will adopt the Framework as a way to reduce costs in the long run through simplification and standardization of the compliance process. I look forward to future postings!