ISA and Recommendations from the Presidential Commission for Enhancing National Cybersecurity

June 7, 2017

ISA Policy Positions

Source: “A Twelve-Step Program for Implementing the Cybersecurity Social Contract” and “Ten Cybersecurity Items for the President’s First One Hundred Days” (Chapter 2 and Appendix A, respectively, of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity.

Recommendations from the Presidential Commission for Enhancing National Cybersecurity
Step One: We Need to Attack the Cybersecurity Problem with Much Greater Urgency


Commission Action Item 5.5.1: The President should issue a National Cybersecurity Strategy within the first 180 days of his Administration. (SHORT TERM)
Step Three: Government Needs to Dramatically Increase Funding for CybersecurityCommission Action Item 5.2.1: The Administration should expand on the recently proposed Information Technology Modernization Fund (ITMF) to enable agencies to fund technology investments by spreading costs over a predetermined period of time. The investments made under this fund should be integrated into a rolling 10-year strategic investment plan as part of a budget planning process similar to the Department of Defense (DoD) approach. (SHORT TERM)
Step Four: Government Needs to be Organized to Reflect the Current Digital RealitiesCommission Recommendation 5.1: The federal government should take advantage of its ability to share components of the information technology (IT) infrastructure by consolidating basic network operations.

Commission Action Item 5.1.1: The Administration should establish a program to consolidate all civilian agencies’ network connections (as well as those of appropriate government contractors) into a single consolidated network. This program and the consolidated network should be administered by the newly established cybersecurity and infrastructure protection agency as described in Action Item 5.5.2 (MEDIUM TERM)

Commission Recommendation 5.2: The President and Congress should promote technology adoption and accelerate the pace at which technology is refreshed within the federal sector.

Step Five: Focus More on Cybersecurity from a Law-Enforcement PerspectiveCommission Action Item 6.1.4: Congress should provide sufficient resources to the Department of Justice (DOJ) to fully staff and modernize the Mutual Legal Assistance Treaty (MLAT) process, including hiring engineers and investing in technology that enables efficiency. It should also amend U.S. law to facilitate transborder access to electronic evidence for limited legitimate investigative purposes, and should provide resources for the development of a broader framework and standards to enable this transborder access. (MEDIUM TERM)
Step Six: Test Pilot the NIST Cybersecurity FrameworkCommission Action Item 1.4.1:  NIST, in coordination with the NCP 3, should establish a Cybersecurity Framework Metrics Working Group (CFMWG) to develop industry-led, consensus-based metrics that may be used by (1) industry to voluntarily assess relative corporate risk, (2) the Department of Treasury and insurers to understand insurance coverage needs and standardize premiums, and (3) DHS to implement a nationwide voluntary incident reporting program for identifying cybersecurity gaps. This reporting program should include a cyber incident data and analysis repository (CIDAR). (SHORT TERM)

Commission Action Item 1.4.4: The private sector should develop conformity assessment programs that are effective and efficient, and that support the international trade and business activities of U.S. companies. (SHORT TERM)

Step Seven: Government Priority for Working with The Private Sector Should Be Reverses to Emphasize Smaller Companies Instead of Large OnesCommission Recommendation 1.5: The next Administration should develop concrete efforts to support and strengthen the cybersecurity of small and medium-sized businesses (SMBs).

Commission Action Item 1.5.1: The National Institute of Standards and Technology (NIST) should expand its support of SMBs in using the Cybersecurity Framework and should assess its cost-effectiveness specifically for SMBs. (SHORT TERM)

Commission Action Item 1.5.2: Action Item 1.5.2: DHS and NIST, through the National Cybersecurity Center of Excellence (NCCoE), in collaboration with the private sector, should develop blueprints for how to integrate and use existing cybersecurity technologies, with a focus on meeting the needs of SMBs. (SHORT TERM)

Commission Action Item 1.5.3: Sector-specific agencies (SSAs) and industry associations and organizations should collaborate to develop a program to review past public cyber attacks to identify lessons learned from the event, including a focus on application to SMBs. (SHORT TERM)

Step Eight: Workforce development: Awareness Yields to Understanding and Makes Cybersecurity CoolCommission Recommendation 4.1: The nation should proactively address workforce gaps through capacity building, while simultaneously investing in innovations—such as automation, machine learning, and artificial intelligence—that will redistribute the future required workforce.

Commission Action Item 4.1.3: To better prepare students as individuals and future employees, federal programs supporting education at all levels should incorporate cybersecurity awareness for students as they are introduced to and provided with Internet-based devices. (SHORT TERM)

Step Nine: Modernize and Streamline RegulationCommission Action Item 1.4.3: Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management—reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation. (SHORT TERM)

Commission Action Item 5.3.2: In the first 100 days of the Administration, OMB should work with NIST and DHS to clarify agency and OMB responsibilities under the Federal Information Security Modernization Act (FISMA) to align with the Cybersecurity Framework. (SHORT TERM) – OMB, working with NIST and DHS, should identify and address areas of alignment between the Cybersecurity Framework and existing federal requirements. This effort should address areas of conflict or overlap in existing requirements for federal agencies, and gap areas where additional policies, standards, guidelines, and programs may be needed to improve the ability of federal agencies to manage cybersecurity risk.

Step Ten: Develop Market Incentives to Promote Sound Cybersecurity BehaviorCommission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Incentives must play a more substantial role in building a cybersecure nation. (Emphasis added)

Safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors. Additional benefits to encourage enhanced cybersecurity might include tax incentives, government procurement incentives, public recognition programs, prioritized cyber technical assistance, and regulatory streamlining. In addition, research and development efforts should specifically include a detailed study of how best to improve network security through incentives.

Step Twelve: Government and Industry Need to Partner to Rethink the Cybersecurity Compliance ModelCommission Recommendation 5.3: Move federal agencies from a cybersecurity requirements management approach to one based on enterprise risk management (ERM).
Appendix A Recommendation: Require all federal agencies to demonstrate cost effectiveness for all cybersecurity regulations programs promulgated on the private sectorCommission Action Item 1.4.3: OMB should also issue a circular that makes the adoption of regulations that depart significantly from the Cybersecurity Framework explicitly subject to its regulatory impact analysis, quantifying the expected costs and benefits of proposed regulations.
Appendix A Recommendation: Initiate a cybersecurity education program for senior government officials modeled on the program run by the National Association of Corporate DirectorsCommission Action Item 4.1.4: The federal government should develop a mandatory training program to introduce managers and executives to cybersecurity risk management topics—even if their role is not focused on a cybersecurity mission area—so that they can create a culture of cybersecurity in their organizations. (SHORT TERM)
Appendix A Recommendation: Require federal agencies operating cyber-partnership programs to follow best practices for private-sector engagement as reported in the Journal of Strategic Security in Winter 2015Commission Action Item 1.2.1: The President should create, through executive order, the National Cybersecurity Private–Public Program (NCP 3) as a forum for addressing cybersecurity issues through a high-level, joint public–private collaboration. (SHORT TERM)