December 2013 Monthly Highlights

January 15, 2014

ISA Accomplishments and Activities for December 2013

  • New National Plan for Security Embraces ISA Concepts.  The new, final, National Plan for Critical Infrastructure Security (formally called the NIPP) required under Presidential Policy Directive 21 (2/13/12) was released on December 20. The National Plan provides the overall context for government industry partnerships for critical infrastructure security.
    • The new plan states that it reflects “a significant evolution in critical infrastructure risk policy.” Much of this evolution reflects a move toward long held ISA doctrine on risk, the economics of cyber security and the need for incentives. Much of the new language was negotiated personally between ISA and DHS Undersecretary Suzanne Spaulding.  Among the new constructs that mirror long standing ISA policy are statements such as: “Risk management means identifying and analyzing risk and accepting, avoiding or transferring it at an acceptable level and acceptable costs.” “Government and industry have aligned, but not identical, interests in securing critical infrastructure…both perspectives are legitimate….Risk tolerance will differ between public and private sector regarding security investments and appropriate risk tolerance. Finding the appropriate value proposition between these partners requires understanding the different perspectives…Critical infrastructure security may depend on applying risk management coupled with available resources and incentives.”
  • ISA CO-Hosts Pan Industry Meeting on Implementing New National Plan and the President’s Cyber Executive Order. Acting in his role as Chair of the IT Sector Coordinating Council, ISA President Larry Clinton Co-Hosted a Joint Meeting with the Communications Sector Council and Key Policymakers from the White House, DHS, NIST, DOD, GSA, and DOE.  The meeting took the unusual form of panels entirely populated by government representatives but chaired by industry representatives.  The government leaders were charged with laying out plans for implementing the new national Plan and the President’s cyber Executive Order. Speakers included White House National Security Staffer Samara Moore, Acting DHS under Secretary for the National Protection and Programs Directorate Suzanne Spaulding, DHS Deputy under Secretary for Cybersecurity Phyllis Schneck, the Chair of the President’s Integrated Task Force on the EO, Bob Kolasky.
  • ISA Submits Its Comments Regarding the NIST Cybersecurity Framework. Following conversations with the ISA Board at the October ISA Board Meeting and on a December ISA Board Call, ISA submitted its official comments regarding the NIST Cybersecurity Framework.  The comments, which were featured in “Inside Cybersecurity,” included a request that the Administration “beta test” the Framework with representative entities across the critical infrastructure segments to determine what “adoption” means, what would constitute success, evaluate the costs and resources needed for implementation as well as the incentives that could be used to offset those costs.  In its comments, ISA also requested that the Framework security measures be evaluated for cost-effectiveness and that NIST also provide a prioritization of these measures as mandated in the Executive Order.