The Internet Security Alliance is calling on the Obama administration to take a lesson from the botched rollout of the federal health care website and establish a “beta-testing phase” for the voluntary cybersecurity framework currently under development by the National Institute of Standards and Technology.
“We have already seen in the health care website debacle the results of stringently adhering to artificially determined deadlines and not doing adequate testing,” said ISA President Larry Clinton. “We are simply proposing the federal government do what any private sector entity would do before it goes to a full launch of a new product or service — you run a beta test with selected target audiences and generate data to refine the product before you go to full deployment.”
NIST released a preliminary framework in October and plans to hold one more public discussion workshop to gather input before issuing the final version in February.
A key element in President Barack Obama’s executive order on cybersecurity, issued earlier this year, the goal of the framework is to establish a set of best practices that can be customized to various critical infrastructure sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity.
But ISA argues the administration’s plan to push for full-scale adoption of the final framework in February could lead to problems for small and mid-size companies that do not have the same depth of experience and resources larger infrastructure operators have. And because the framework is voluntary, ISA fears companies that find it difficult to implement certain guidelines will simply ignore the framework altogether.
“Early adopters of the framework are most likely to be organizations with economy of scope and scale atypical of the rest of industry or are responding to high-level political motives,” Clinton said in a statement. “Attempting to generalize their experience to companies who do not have this background can be invalid and misleading.”
As an alternative, ISA is proposing what it calls “a more scientific process” in which a “stratified sample of representative target [critical infrastructure] companies” would test-drive implementing the best practices proposed by the framework, according to briefing slides obtained by FedScoop that Clinton plans to present Tuesday to a conference on Technology and Homeland security in Boston sponsored by the Institute of Electrical and Electronics Engineers.
“DHS would work with the organizations on implementation, track the issues and costs and deploy the incentives provided to manage the costs,” Clinton said. “If we can reliably report this data of cost effectiveness to the community, we will have a much better chance to encourage voluntary participation of framework techniques on a sustainable basis.”
“Come Feb. 14, we should initiate the first phase of implementation — beta testing,” states a slide in Clinton’s presentation. “This is what any sophisticated company would do with a new product roll out. Our critical infrastructure deserves no less.”