Cybersecurity

New guidelines for building cyber into critical infrastructure

concept cybersecurity art

Two government agencies and a public/private partnership issued recommendations -- and some new requirements -- for building cybersecurity into the systems, controls and platforms that underpin critical infrastructure.

The National Institute of Standards and Technology, which is also developing an overarching federal cybersecurity framework, convened workshops earlier this year with the nonprofit Cyber Security Research Alliance to create a road map for designing built-in critical infrastructure security. The group -- a mix of representatives from government, industry and academia -- released a comprehensive report Nov. 20 that highlights ways to secure vulnerable public-facing IT systems.

The joint NIST/CSRA report comes on the heels of a Nov. 18 memo from the Office of Management and Budget that provides a framework for federal agencies to use to manage risk and continuously monitor critical IT networks and systems.

"It's important to point out that cyber-physical systems pretty much touch our lives in just about everything we do today," said Lee Holcomb, president of CSRA and director of transformation integration at Lockheed Martin. "They include all modes of transportation, energy, health care, consumer electronics. Pretty much everything we do on a daily basis in some way touches some part of CPS. Protecting those systems is really important, and that was what we took on."

CSRA and the recent report focus on CPS, which includes IT systems that support industrial controls, data communications and public utilities. The report's findings target the establishment and improvement of common taxonomy, architectures, metrics, best practices, standards, interoperability, and other methods to improve systems' resiliency and encourage cybersecurity efforts. It also calls for the establishment of CPS curricula to ensure that the workforce has adequate skills and expertise.

Holcomb added that CSRA members are conducting further research and implementing numerous findings in the report. Meanwhile, OMB has chosen a phased approach and set a 2017 deadline for agencies to deploy information security continuous monitoring (ISCM) tools that provide dynamic and proactive cybersecurity. OMB's memo also specifies the use of strategic sourcing to "minimize the costs associated with implementing requirements of the risk management framework."

The memo includes eight steps for instituting ISCM across the government and assigns specific responsibilities to the Department of Homeland Security and NIST, including the establishment of a federal dashboard for ISCM, coordination with the PortfolioStat and CyberStat programs, and ongoing guidance.

"By strengthening the underlying information technology infrastructure through the application of state-of-the-art architectural and engineering solutions, and leveraging automation to support the implementation of the risk management framework (which includes the ongoing monitoring of security controls), agencies can improve the effectiveness of the safeguards and countermeasures protecting federal information and information systems in order to keep pace with the dynamic threat landscape," OMB Director Sylvia Burwell wrote in the memo.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.