NIST announces federal cyber center plans

Editor's note: This story was modified to clarify the relationship between the FFRDC and the recent executive order on cybersecurity.

The National Institutes of Standards and Technology is spearheading efforts to establish a new federally funded research and development center through its National Cybersecurity Center of Excellence. The goal of the FFRDC is to create a neutral venue for collaboration between government and industry that will accelerate progress in implementing cybersecurity.

The idea is to bring together experts and stakeholders from both sectors, as well as academia, that can work together in finding cybersecurity solutions that will help secure digital infrastructure, according to a Federal Register notice posted April 22.

"FFRDCs are independent nonprofit organizations that operate in the public interest and provide a highly efficient way to leverage and rapidly assemble physical resources and scientific and engineering talent, both public and private," a NIST release noted. "By design, they have beyond normal access to government and supplier data, and as nonprofits, they have no bias toward any particular company, technology or product – key attributes, given the NCCoE's collaborative nature."

A request for proposals to manage the research center is expected this fall, according to NIST.

The efforts signal more of the government's growing prioritization of cybersecurity -- a priority that was also reflected in President Barack Obama's executive order on cybersecurity issued in February. While the FFRDC effort is not part of the order, the order strengthened NIST's role in cybersecurity efforts and its partnership with the White House and the Homeland Security Department, and prioritized information-sharing between sectors.

Of particular focus in the order are measures designed to secure critical infrastructure, typically run by the private sector, as well as widen the pool of cybersecurity experts and personnel, an area officials have said is sorely lacking.

"This is a critical piece of a broader problem here which is...we don't have enough people in cybersecurity; our workforce is one of the biggest challenges," said Andy Ozment, White House senior director for national security. "So how do we take the lessons the best people learn and disseminate them, particularly in sectors that believe they have unique problems that set them apart from the normal IT world? If you're in a sector that relies heavily on control systems, you may be reluctant to take general IT security advice because you don't know if that's been vetted in respect to control systems."

The hope is that by convening the stakeholders of various pockets of industry that share common cybersecurity concerns, best practices and lessons can fast-track new security measures that would not be possible without collaboration.

"That's what NIST's approach with the centers of excellence is – taking the best of industry and come up with models that really work successfully and disseminate that knowledge," Ozment said.

The center, by design, also is geared to be more flexible than what government agencies may be limited to under rules and regulations that have proved to be sticking points in information-sharing over the years.

"The FFRDC model is the most effective way the center can work with private companies to accelerate industry's adoption of integrated tools and technologies to protect IT assets," said NIST Director Patrick Gallagher said in the release. "NIST has a long history of successful collaboration with industry, and this approach leverages our top cybersecurity experts while allowing the center to be as nimble as possible."