National Institute of Standards and Technology (NIST) Director Patrick Gallagher told members of the House Energy and Commerce Committee last week that the agency is working to develop a set of cybersecurity best practices for the private sector in an “open and transparent” manner. Development of the practices, termed a "cybersecurity framework," is required by Executive Order 13636, issued by President Obama in February.
In his testimony, Gallagher explained that the framework, due in February 2014, will comprise consensus-based standards, methodologies, procedures and processes to address cyber risks for critical infrastructure. After that, DHS and sector-specific agencies will begin outreach to owners and operators of water systems and other covered critical infrastructure assets to encourage voluntary adoption of the framework. Gallagher noted that the executive order does not give the government the power to mandate the adoption of the framework or any standards within it, although agencies that already have regulatory authority over critical infrastructure cybersecurity may propose new regulations consistent with it.
Energy and Commerce Committee Republicans used the hearing as an opportunity to reiterate skepticism of the executive order, which they fear could lead to “one-size-fits-all” cybersecurity standards. Committee Chairman Fred Upton (R-Mich.) warned that a federal cybersecurity regime must provide “ample flexibility to afford … critical infrastructure the ability to protect against and respond to rapidly evolving threats.” Upton also said that the “bureaucracy” of the framework required by the executive order would be unable “to keep pace with ever changing threats.”