#21 – WHITE HOUSE INCENTIVES FOR CIP CYBER ADOPTION – CAROLYN TURBYFILL

turby

turby

It has been a busy year in the U.S. for Cybersecurity.  The latest development (as of August  6, 2013) is an announcement from the White House outlining incentives under consideration to encourage Critical Infrastructure companies to implement the Cybersecurity Framework under development by NIST:

http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework

“We are currently working with the appropriate agencies to prioritize each incentive area and move forward. These areas include:

  • Cybersecurity insurance – Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market. The Commerce Department’s National Institute of Standards and Technology is taking steps to engage the insurance industry in further discussion on the Framework. This process should continue as the Framework is developed and the Voluntary Program is created.
  • Grants — Agencies suggested leveraging federal grant programs. Agencies suggest incentivizing the adoption of the Framework and participation in the Voluntary Program as a condition or as one of the weighted criteria for federal critical infrastructure grants. Over the next six months, agencies will develop such criteria for consideration.
  • Process Preference — Agencies offered suggestions on a range of government programs in which participating in the Voluntary Program could be a consideration in expediting existing government service delivery. For example, the government sometimes provides technical assistance to critical infrastructure. Outside of incident response situations, the government could use Framework adoption and participation in the Voluntary Program as secondary criteria for prioritizing who receives that technical assistance. The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption. Agencies currently have the authority to act in these areas without further legislation. As we work with the private sector over the next six months to develop the Voluntary Program, we will simultaneously identify and examine specific programs where this approach could be helpful
  • Liability Limitation — Agencies pointed to a range of areas where more information is necessary to determine if legislation to reduce liability on Program participants may appropriately encourage a broader range of critical infrastructure companies to implement the Framework. These areas include reduced tort liability, limited indemnity, lower burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements. As the Framework is developed, agencies will continue to gather information about the specific areas identified in the reports related to liability limitation.
  • Streamline Regulations — Agencies will continue to ensure that the Framework and the Voluntary Program interact in an effective manner with existing regulatory structures. As the Framework and Voluntary Program are developed, agencies will recommend other areas that could help make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
  • Public Recognition — Agencies suggested further exploration on whether optional public recognition for participants in the Program and their vendors would be an effective means to incentivize participation. DHS will work with the critical infrastructure community to consider areas for optional public recognition as they work together to develop the Voluntary Program.
  • Rate Recovery for Price Regulated Industries — Agencies recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program. 
  • Cybersecurity Research — Once the Framework is complete, agencies recommended identifying areas where commercial solutions are available to implement the Framework and gaps where those solutions do not yet exist. The government can then emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.

While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed.”

On July 24, 2013, NIST provided an update on the current NIST Cybersecurity Framework:   24 July 2013 NIST Cybersecurity Framework Update

The draft outline of NIST’s Cybersecurity Framework was published on July 1, 2013:  draft_outline_preliminary_framework_standards

Leave a Reply

Your email address will not be published. Required fields are marked *