While the Obama administration is geared up for a big push next February to encourage participation in the voluntary Cyber Security Framework, multi-sector trade association the Internet Security Alliance (ISA) is calling for a “beta testing phase” prior to full implementation of the program.
“We have already seen in the health care website debacle the results of stringently adhering to artificially determined deadlines and not doing adequate testing,” said ISA President Larry Clinton.
“We are simply proposing the federal government do what any private sector entity would do before it goes to a full launch of a new product or service—you run a beta test with selected target audiences and generate data to refine the product before you go to full deployment.”
The Framework, intended to bolster cybersecurity for critical infrastructure assets as directed by the President’s Executive Order issued earlier this year, is being developed by the National Institute of Standards and Technology (NIST) with the aid of several thousand security experts who have attended workshops or otherwise contributed to the Preliminary Cybersecurity Framework draft released last month.
“There are some fundamental elements the President’s Executive Order requires of the framework, for example that it be cost effective, that NIST has acknowledged it cannot fulfill through the current process. The most prudent thing to do is a systematic, stratified, funded beta test of the program that will yield reliable data,” Clinton said.
“This data can then be used to demonstrate what elements of the framework are cost effective for various types of organizations and what sort of incentives will be needed to encourage voluntary adoption of needed elements which are not determined to be cost effective, based on the data.”
The ISA has discussed the idea with White House, DHS and NIST officials, and Clinton plans to provide a detailed proposal during a panel at the IEEE conference on Technology and Homeland security in Boston Tuesday morning.
“We are proposing a more scientific process wherein DHS would work with industry to find a representative sample of targeted critical infrastructure. DHS would work with the organizations on implementation, track the issues and costs and deploy the incentives provided to manage the costs,” said Clinton.
“We can then produce the Framework 2.0. If we can reliably report this data of cost effectiveness to the community we will have a much better chance to encourage voluntary participation of framework techniques on a sustainable basis.”