Cybersecurity

New guidelines for building cyber into critical infrastructure

concept cybersecurity art

Two government agencies and a public/private partnership issued recommendations -- and some new requirements -- for building cybersecurity into the systems, controls and platforms that underpin critical infrastructure.

The National Institute of Standards and Technology, which is also developing an overarching federal cybersecurity framework, convened workshops earlier this year with the nonprofit Cyber Security Research Alliance to create a road map for designing built-in critical infrastructure security. The group -- a mix of representatives from government, industry and academia -- released a comprehensive report Nov. 20 that highlights ways to secure vulnerable public-facing IT systems.

The joint NIST/CSRA report comes on the heels of a Nov. 18 memo from the Office of Management and Budget that provides a framework for federal agencies to use to manage risk and continuously monitor critical IT networks and systems.

"It's important to point out that cyber-physical systems pretty much touch our lives in just about everything we do today," said Lee Holcomb, president of CSRA and director of transformation integration at Lockheed Martin. "They include all modes of transportation, energy, health care, consumer electronics. Pretty much everything we do on a daily basis in some way touches some part of CPS. Protecting those systems is really important, and that was what we took on."

CSRA and the recent report focus on CPS, which includes IT systems that support industrial controls, data communications and public utilities. The report's findings target the establishment and improvement of common taxonomy, architectures, metrics, best practices, standards, interoperability, and other methods to improve systems' resiliency and encourage cybersecurity efforts. It also calls for the establishment of CPS curricula to ensure that the workforce has adequate skills and expertise.

Holcomb added that CSRA members are conducting further research and implementing numerous findings in the report. Meanwhile, OMB has chosen a phased approach and set a 2017 deadline for agencies to deploy information security continuous monitoring (ISCM) tools that provide dynamic and proactive cybersecurity. OMB's memo also specifies the use of strategic sourcing to "minimize the costs associated with implementing requirements of the risk management framework."

The memo includes eight steps for instituting ISCM across the government and assigns specific responsibilities to the Department of Homeland Security and NIST, including the establishment of a federal dashboard for ISCM, coordination with the PortfolioStat and CyberStat programs, and ongoing guidance.

"By strengthening the underlying information technology infrastructure through the application of state-of-the-art architectural and engineering solutions, and leveraging automation to support the implementation of the risk management framework (which includes the ongoing monitoring of security controls), agencies can improve the effectiveness of the safeguards and countermeasures protecting federal information and information systems in order to keep pace with the dynamic threat landscape," OMB Director Sylvia Burwell wrote in the memo.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.