The National Institute of Standards and Technology (“NIST”) held a two and a half day workshop last week, March 25-27, entitled The Intersection of Cloud and Mobility, to brainstorm on the issues, problems and realities of a world where “low-end mobile devices access diverse and scalable cloud computing resources and globally connected mobile enabled resources to receive unlimited mobile application services.”
The workshop painted a clear map of where NIST intends to focus in furthering its recently issued the final version 1.0 of the Cybersecurity Framework in Feb 2014, which resulted in turn from the administration’s Feb 2013 Executive Order 13636 designed to address critical infrastructure cybersecurity weaknesses.
Though ostensibly delving into cloud computing and mobile device usage, the agenda for the three day workshop, which was webcast from Maryland with a corresponding Twitter hashtag of #NISTCloud, covered a great deal of security ground, and included representatives from numerous federal agencies as well as private cloud and technology companies such as Amazon, Microsoft, Lockheed Martin, Microsoft, Cisco, IBM and Dell. Among the themes the workshop tackled were:
- Federal Perspectives on Cloud and Mobility
- The Vision for Cloud and Mobility
- Current State of Cloud and Mobility Intersections
- Intersections of Cloud and Mobility on the Horizon
- Challenges and Lessons Learned
- Challenges for Cloud and Mobility, including
- Use Cases, Technologies, Consumer Issues
- Domain- and Sector-Specific Perspectives
- Future Directions for Cloud and Mobility
- Challenges at the Intersection of Cloud and Mobility
- Reliability Design Goals
- Privacy and Security Issues
- Cloud-Enhancing Mobility Applications
- Ubiquitous Computing
The final day of the workshop was held concurrently with a separate NIST-sponsored State and Local Government Cybersecurity Framework Kickoff, held by NIST’s National Cybersecurity Center of Excellence (“NCCoE”). The Kickoff marks the first public follow-up to NIST’s release of the Cybersecurity Framework.
Provided ahead of the Kickoff were comprehensive handout materials, including specifics from NCCoE and The Department of Homeland Security (“DHS”), with DHS broadly introducing its Critical Infrastructure Cyber Community Voluntary Program (“C3VP”), which DHS states is to “be the coordination point within the Federal Government to leverage and enhance existing capabilities and resources to promote the adoption of the” NIST Framework. DHS’s goals for C3VP are “to increase awareness and use of the Framework, support industry and State and Territorial governments in using the Framework to increase cybersecurity resiliency” with a declared Framework adoption target goal date for all States and territories of before Jan. 1, 2015 – which is both ambitious and thought provoking.
Companies or individuals with ideas for projects involving the Framework or other cybersecurity challenged are encourged by NIST to contact them at nccoe@NIST.gov or 240 314-6800 with more information available at http://nccoe.nist.gov.
Takeways & Issues of Governmental Procurement Contracting
The Workshop and Kickoff, along with the C3VP roll out clearly demonstrate the federal resolve and initiatives underway in strengthening cybersecurity and addressing risk management and amelioration efforts in connection with data handling and technology infrastructure.
In the halls of private companies the brush with the Framework itself is likely to come at companies providing goods and services to the federal government and its agencies, especially the Department of Defense (“DOD”). At the end of this past January, the DOD and GSA Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (“JWG”) (another response to the same EO 13636 behind NIST’s Framework) issued its final Report of the same name.
The Report followed up on a DoD Nov. 2013 final rule, (See 78 FR 69273, and 48 CFR Parts 204, 212 and 252) effective Nov. 2013, which imposed various requirements, including either adoption of NIST SP 800-53 controls or “a written explanation of how (A) the required security control *** is not applicable; or an alternative control or protective measure is used to achieve equivalent protection.”
The JWG Report makes a number of broad recommendations, including changes to the Defense Acquisition Regulation Supplement (“DFARS”) and its civil analog, the Federal Acquisition Regulation System (“FARS”). that via FISMA and NIST will effectively mandate that Framework – “voluntary” as it may be – become a condition of federal procurement contract. For example, page 16 the Report clearly states “[t]he starting point for development of the [security overlays for acquisition] should be the Cybersecurity Framework.” and on page 18 that “[a]t a minimum, the qualification program [evaluating cyber risk] should be based on the Cybersecurity Framework….”
In turn, given how broadly DHS has scoped out the 16 critical infrastructure categories, we believe it is conservative to say that the Framework – at least once past any v.2.0 when NIST intends to hand it off to a heretofore unspecified NGO or organization – will be become a de facto U.S. governmental cybersecurity risk management “best practice.”
To discuss the NIST Framework, DHS’ ongoing program, your own procurement contractual challenges at local, state or federal governmental bodies, or how you can leapfrog your competition with an aggressive implementation review of the Framework, feel free to contact us at 203 307-2665 or at info@SmartEdgeLawGroup.com.
