By Danielle Kriz, Sr Director, Global Policy, Palo Alto Networks and Sean Morgan, Advisor, Cybersecurity Policy, Palo Alto Networks
Earlier this month, Palo Alto Networks joined approximately 1,000 stakeholders at theCybersecurity Framework Workshop 2016, organized and hosted by the National Institute of Standards and Technology (NIST) on its campus in Gaithersburg, Maryland. The workshop represented just the latest example of an ongoing, inclusive dialogue that started during the initial development of the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) in 2013 and has continued since its official launch in February 2014.
The workshop highlighted the many ways that governments around the world, and businesses large and small, have uniquely applied the Framework to help manage and reduce their cybersecurity risks. NIST should be commended for its continued efforts to bring together key stakeholders from industry, academia and government to discuss uses and best practices and ensure the Framework remains the flexible, voluntary guidance document it was intended to be. Although the Framework has gathered extensive support across, and promotion by, multiple industry sectors since its launch – as evidenced by the broad spectrum of entities engaged in the workshop dialogue – NIST’s leadership and guidance remains essential.
From our perspective, a few key themes emerged at the workshop. One was the growing global dimension of the conversation – not simply about the Framework itself, but about the broader importance of developing a common cyber risk management lexicon as the world becomes increasingly interconnected. The central tenets of the Framework’s Core – Identify, Protect, Detect, Respond and Recover – provide precisely this type of shared baseline necessary to facilitate strategic cyber risk management conversations across organizational levels and borders.
One panel, in particular, on international alignment of the Framework, featuring speakers from Japan and Italy, was a testament to this conversation’s expanding reach. Increased international engagement in and acceptance of this type of inclusive, public-private partnership approach to cybersecurity policy development is essential. More granularly, a reaffirmation of the value of using globally accepted, industry-led, voluntary consensus standards for cybersecurity risk management will help drive greater competition and innovation in the global marketplace.
Another important discussion at the workshop was how U.S. federal agencies are using the Framework. In fiscal year 2016, the CIO FISMA Metrics – a critical tool for measuring department and agency cybersecurity – are organized around the Framework’s five functions. U.S. federal agencies and contractors in the workshop session reported various degrees of activity; some were already mapping various activities to the Framework, while others reported that more awareness about the Framework was needed. We strongly support the efforts to drive alignment of cybersecurity requirements for federal information systems with the Framework. It is good for federal cybersecurity, exemplifies a best practice to industry, and indicates to other governments around the world the United States’ sincerity about utilizing the Framework.
Finally, the workshop featured a series of conversations about the future of the Framework. One question was about the value of updating it. We agree with many in industry that it is too soon to make major changes and move to “version 2.0.” The Framework needs to gain traction with a broader diversity of stakeholders to more fully realize its potential as a risk management tool. Any updates should focus on Framework refinement rather than expansion. To this end, like others in industry, we believe that the list of voluntary standards (the “informative references”) should be updated if new standards have gained widespread, voluntary global adoption since the Framework was first published. We also believe NIST’s efforts to raise awareness about the Framework should reflect global security trends toward threat prevention as an integral part of the “Protect” function.
On these and other issues, NIST used the workshop as an opportunity to solicit stakeholder input, and we encourage that all future decisions continue to be made in the same inclusive and thoughtful manner as that which produced the Framework itself. Since that original inception and throughout its development and implementation, Palo Alto Networks has been a strong advocate for the Framework’s importance both individually and as part of broader technology coalitions. As a company, we believe strongly in the principles the Framework espouses: public-private partnership, the importance of sound cyber risk management policies, and a recognition that cybersecurity policies and standards must be considered on a global scale. We look forward to continuing to be a constructive part of this important dialogue.
[Palo Alto Networks Research Center]