The Defense Department is leading efforts to set mandatory cybersecurity baselines for industry, while the Federal Communications Commission has been on a deregulatory path, but both are playing influential roles in shaping the U.S. government’s relationship with the private sector and overall approach to cybersecurity that have been on display in recent days.
In one of the federal government’s most closely watched cyber initiatives in years, the official overseeing DOD’s cybersecurity certification program said most companies in the department's supply chain will be able to maintain the required cyber credentials for $1,000 per year or less.
Katie Arrington, chief information security officer within the Pentagon's acquisition and sustainment directorate, said DOD has priced out how much it will cost contractors to implement the new Cybersecurity Maturity Model Certification – and doesn’t see the price tag as prohibitive.
Meanwhile, the nuts-and-bolts work of implementing CMMC continues – and is creating private-sector opportunities as well as requirements.
Firms experienced in working with current Defense Department acquisition standards are developing new initiatives to guide contractors through the launch of the CMMC program, as work continues on establishing standards for third-party assessors.
On the civilian side, the FCC under Chairman Ajit Pai typically shies from direct regulation, but the commission’s orders are framing how a broad swath of the nation’s digital infrastructure addresses cyber issues.
The FCC is scheduled to vote Thursday on unlicensed use of so-called mid-band spectrum, a proposal that Pai says will help unleash the potential of next-generation 5G networks and the Internet of Things.
But a coalition including energy, telecom, railroad industry groups, state regulators, and public safety organizations wants the FCC to reconsider and take into account potential cybersecurity impacts, including interference with critical control systems.
The FCC also has a new order, to be published Thursday, on freeing up for 5G use so-called C-Band spectrum now used by satellite operators. That move has also triggered pushback on security grounds.
Separately, a presidential executive order on reviewing security threats in applications and licenses before the FCC is raising concerns among lawyers. They say the EO helpfully provides specific timelines around the activities of “Team Telecom 2.0,” but is written so broadly that federal officials conceivably could swoop in and refuse or revoke licenses in all kinds of areas.
“One of the chief concerns of my clients is the scope of the EO,” said an attorney who represents companies on cyber and other issues. “There is plenty of ambiguity in it, a lot of latitude to conduct reviews beyond the work of ‘Team Telecom 1.0,’ which wasn’t formal but did have boundaries.”
Earlier last week, the FCC sought information from the telecom sector on how a recently enacted law relates to an ongoing “rip-and-replace” program to remove untrustworthy equipment from telecom systems. “Rip-and-replace” is one of the main lines of effort aimed at ridding critical private-sector networks of Chinese components.
CISA’s Kolasky writes foreward for new corporate directors guide
Finally for this week, in its latest move to help keep both the hackers and the regulators away, the National Association of Corporate Directors and the Internet Security Alliance have released “Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.”
ISA and NACD are long-time leaders of efforts to drive industry cyber improvements through the active engagement of corporate directors, an initiative ISA has been pursuing on a global basis.
Bob Kolasky, director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, says in a foreward to the new report: “While the touchpoints between cybersecurity hubs within the federal government and technically focused network defenders in the private sector have been historically strong, the connections with the enterprise-risk management portions of organizations are admittedly less mature.”
Kolasky writes: “This reality presents a prime opportunity to use the guidance contained in this Handbook for deeper risk management integration between government and industry. CISA has recently launched what we are calling the National Risk Management Dialogue -- a series of high-level conversations with chief risk officers and enterprise-risk management executives at critical infrastructure organizations. We’ll be doing more of these around the country and look forward to continued engagement.”
He also discusses the ongoing need for improvement in adoption of “cybersecurity basics,” as well as progress in developing cybersecurity metrics. “Too often, cybersecurity has been treated as a ‘too-hard-to-measure’ problem, but we are now making progress in quantifying cyber risk,” Kolasky writes. – Charlie Mitchell (firstname.lastname@example.org)