critical infrastructure

By Susan B. Cassidy

On March 12, 2014, General Services Administration (“GSA”) issued a Request for Information (“RFI”) to obtain stakeholder input on implementing the recommendations contained in the joint GSA and Department of Defense (“DOD”) report, Improving Cybersecurity and Resilience through Acquisition (“Joint Report”), issued on January 23, 2014.

The Joint Report and, in turn, the RFI from GSA were issued in furtherance of Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity, which called for GSA and DOD, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”  The Joint Report responded to this request with six recommendations for strengthening the federal government’s cyber resilience:

  1. Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
  2. Address cybersecurity in relevant training;
  3. Develop common cybersecurity definitions for federal acquisitions;
  4. Institute a federal acquisition cyber risk management strategy;
  5. Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources, whenever available, in appropriate acquisitions; and
  6. Increase government accountability for cyber risk management.

Through the RFI issued on March 12, GSA has requested stakeholder input on how to implement the Joint Report’s recommendations.  To this end, GSA provided a draft Implementation Plan, which addresses the implementation of the Joint Report’s fourth recommendation, “institute a Federal acquisition cyber risk management strategy.”  The Implementation Plan explains that GSA will implement the Joint Report’s fourth recommendation first because “the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented.”

Continue Reading GSA Seeks Comments on Implementation of GSA/DOD Cybersecurity Joint Report Recommendations

It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.

Continue Reading European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure

Today the National Institute of Standards and Technology (“NIST”) issued a discussion draft of a “Preliminary Cybersecurity Framework.”

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity tasked NIST with developing a “Cybersecurity Framework” “to reduce cyber risks to critical infrastructure.”  The Order specifies that the Framework must “provide a prioritized, flexible repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

NIST is drafting the Framework in consultation with industry, other government agencies, and other experts.  The final version will provide voluntary cybersecurity guidance for critical infrastructure and other business.  NIST describes the Framework as providing “a common language for expressing, understanding, and managing cybersecurity risk.”

As described by the NIST discussion draft, the Framework is intended to guide businesses through a risk-based assessment and improvement of their cybersecurity posture.  The discussion draft Framework is organized around three issues: the Framework Core, Implementation Tiers, and Profile.

Continue Reading NIST Releases Preliminary Cybersecurity Framework