ISA Defense Industrial Base Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Defense Industrial Base Sector Recommendations

Source: Chapter 3 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity
Institute a Tiered Maturity Model for Grading Cybersecurity Competency
“The fundamental problem with the cybersecurity regulatory compliance model in the defense sector is that it is a compliance model. It creates an incentive to check the block at the minimum level required to pass without improving defenses in ways not easy to capture by auditors… The compliance model is binary. You either do everything required, or you fail… Turn it into an incentive model. The key is to establish a way for companies to take credit for incremental improvements by structuring the system to have different levels, or tiers, of compliance.” Commission Action Item 1.4.3: Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management—reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation. (SHORT TERM)

Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Commission Recommendation 5.3: Move federal agencies from a cybersecurity requirements management approach to one based on enterprise risk management (ERM).

Commission Text: For too long, federal agency cybersecurity requirements have been viewed as a checklist wholly separate from an agency’s core functions and capabilities. There has been a tendency to emphasize strict compliance with prescriptive requirements rather than enterprise risk management. Efforts have been made, especially over the past several years, to stress the value of risk management using standards, guidelines, and best practices developed for federal agencies. However, the federal government has failed to adopt this risk management approach. Instead, it has focused on implementing specific, prescriptive requirements. The Commission recommends that the federal government adopt a risk management approach guided by OMB’s enterprise risk management program.

As part of this effort, federal agencies should be required to use the Cybersecurity Framework as a common standard to evaluate their cybersecurity posture and integrate cybersecurity with the agency’s mission. Such an approach would help eliminate the misperception that cybersecurity is auxiliary to, rather than a core part of, every agency’s mission. It would properly put discussions of cybersecurity risk on the same level as other enterprise-wide risks. It would also reinforce the move away from a culture concerned only with meeting minimum standards.


Information Sharing Beyond the Elites
“In the same way small- and medium-sized businesses are disproportionately impacted by compliance, they are disproportionately excluded from the benefits of a decade of information-sharing efforts. The current close-hold information-sharing methods are designed for companies with the infrastructure and staff capable of manually receiving complex threat data, evaluating these data for their environment, and applying them to any number of defensive systems. Small companies can do none of this. Instead, sharing with small companies requires a passive model where the company can accept threat data in an automated system and have these data applied to their network… The Pentagon should work with industry to create a broader information-sharing environment that is both affordable and passive.” Commission Action Item 1.2.4: Federal agencies should expand the current implementation of the information-sharing strategy to include exchange of information on organizational interdependencies within the cyber supply chain. (SHORT TERM)

Commission Text: While some private-sector organizations are diligent in addressing cyber risks to and through their cyber supply chains, many others either are unaware of the risks or do not have the information and resources necessary to implement an organizationally integrated and robust cyber supply chain risk management program. Smaller organizations with fewer resources and often with less sophisticated cybersecurity capabilities are sometimes left woefully underprepared to address interdependency and supply chain risks.

DHS, the FBI, and DoD should expand existing information-sharing networks to enable the development of a toolkit that supports this NIST guidance for use by private-sector organizations, including small and medium-sized businesses, as they interact with other private-sector organizations, corresponding with the NIST guidance.


DoD Should Move to Better Accommodate a Global Defense Industrial Base
“Defense should work with industry to develop operating concepts for cyber defense in an increasingly global market. Compliance regimes and information-sharing processes must both be modified to accommodate this new reality. The department should immediately begin working with NIST to find an acceptable international standard that can serve as an overseas substitute for defense controlled-information cybersecurity controls. DoD should also begin working with industry to develop a way to share cyber-defense information with foreign suppliers of critical items.” Commission Imperative 6: Ensure an Open, Fair, Competitive, and Secure Global Digital Economy

Commission Recommendation 6.1: The Administration should encourage and actively coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior.

Commission Action Item 6.1.2: The federal government should increase its engagement in the international standards arena to garner consensus from other nations and promote the use of sound, harmonized cybersecurity standards. (MEDIUM TERM)

Commission Action Item 6.1.5: NIST and the Department of State should proactively seek international partners to extend the Cybersecurity Framework’s approach to risk management to a broader international market. (SHORT TERM)

Commission Text: Today, the international digital economy lacks the coherent systems necessary to effectively address cross-border malicious cyber activity. The varied individual country technology requirements, assessment regimes, and cybersecurity policies fragment markets and force companies to devote resources to multiple compliance regimes rather than to innovation. The lack of global norms and standards forces industry to select markets where they can meet national requirements, avoiding or abandoning others.


The Pentagon Needs to Increase Outreach to Small Companies
“Defense depends on small businesses to support its missions, spark innovation, and develop technologies to support the warfighter… The next administration should ensure that cybersecurity is a component of DoD’s Office of Small Business Programs (OSBP) outreach and take steps to stabilize the office’s performance and leadership.” Commission Recommendation 1.5: The next Administration should develop concrete efforts to support and strengthen the cybersecurity of small and medium-sized businesses (SMBs).

Commission Action Item 1.5.2: DHS and NIST, through the National Cybersecurity Center of Excellence (NCCoE), in collaboration with the private sector, should develop blueprints for how to integrate and use existing cybersecurity technologies, with a focus on meeting the needs of SMBs. (SHORT TERM)

Commission Text: There are more than 28 million small businesses in the United States. These businesses produce approximately 46 percent of our nation’s private-sector output and create 63 percent of all new jobs in the country. Nearly all rely on information technologies, including the Internet, other digital networks, and a variety of devices. For some small businesses, the security of their information, systems, and networks either is not their highest priority or is something they do not have the resources to address. A cybersecurity incident can harm their business, customers, employees, and business partners. Incidents involving their companies can also have far broader consequences, adversely affecting segments of the digital economy. The federal government can and should provide assistance to these companies.