ISPAB Meeting Highlights U.S. Government Information Security Efforts
The Information Security and Privacy Advisory Board (ISPAB or the Board) convened on November 1 for a two-day meeting in Washington, D.C. The open meeting featured updates on cybersecurity and privacy efforts across the federal government, including at the National Institute of Standards and Technology (NIST), the National Telecommunications and Information Administration (NTIA), and the Department of Homeland Security (DHS).
Background on ISPAB
Originally authorized by Congress in the Computer Security Act of 1987, the ISPAB is charged with advising the Director of NIST, the Secretary of Homeland Security, and the Director of the Office of Management and Budget (OMB) on privacy and information security issues related to federal government systems. The ISPAB is comprised of eight information technology experts from outside the federal government, four members that are information system experts within the federal government, and a chairperson appointed by the Director of NIST.[1]
Cybersecurity and Privacy Updates
Assembling for the third and final time in 2018, the Board was briefed by representatives of key government entities responsible for securing federal information systems, including representatives of NIST, DHS, OMB, the National Security Council, and the National Academies’ Computer Science and Telecommunications Board.
NIST
NIST presentations included, among other things, updates on the agency’s Privacy Framework, Cybersecurity Framework, and Draft Interagency Report 8228—Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (Draft NISTIR 8228).
The recently launched Privacy Framework effort, which is being modeled in part on NIST’s Cybersecurity Framework, is working to define types of data processing and their possible negative effects on individuals. NIST highlighted its recent public privacy workshop in Austin, Texas, and discussed plans to convene more public workshops and engagements with industry. Informed by these outreach efforts, NIST expects to release draft Privacy Framework documents for public comment over the next year.
NIST also provided an update on its Cybersecurity Framework, an updated version of which was released in April of this year. NIST reported that it is not currently working on a Cybersecurity Framework update and has turned its focus to Framework users and the Framework Roadmap, which is still in draft form. NIST indicated that the Framework Roadmap will soon be finalized with no significant changes from the December 2017 Draft Framework Roadmap. NIST also discussed measuring cybersecurity, citing the complexity of that task. NIST noted plans to solicit stakeholder perspectives through a Request for Information regarding cybersecurity measures. NIST indicated that RFI responses will help divide cybersecurity measures into manageable segments.
NIST also presented an update on Draft NISTIR 8228 and other IoT-related work. NISTIR 8228 is intended to help federal agencies and others understand the cybersecurity and privacy risks associated with IoT devices throughout the product lifecycle.[2] Beyond NISTIR 8228, the National Cybersecurity Center of Excellence is considering an IoT consumer product effort.
NTIA
Representatives from NTIA and NIST provided a report on the Botnet Roadmap, a product of the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats authored by the Department of Commerce and DHS. The agencies hope to release a draft Botnet Roadmap by the end of November that will address five different “lines of effort,” outlining multiple actions and tasks under each line of effort.
DHS
A DHS representative reported on immediate efforts of the new National Risk Management Center (NRMC), which assesses risks to national critical infrastructure and brings together government and the private sector to address the complex threat environment. DHS highlighted the NRMC’s three focus areas: (1) establishing itself as a strategic—not operational—office; (2) launching initiatives to address known threats; and (3) developing guidance for government and industry to manage risk to critical functions.
Another DHS presenter outlined the ways technology is used to facilitate economic and national security attacks and discussed the Information and Communications Technology Supply Chain Risk Management Task Force, a public private partnership recently formed by DHS. The Task Force is busy devising threat assessments and best practices, developing criteria for an ICT approved-product list, and considering the merits of a Federal Acquisition Regulation to address supply chain risk.
ISPAB Looking Ahead
At the end of the two-day meeting, ISPAB chairman Christopher Boyer announced that he is stepping down as chair of the ISPAB but will remain on the Board. The new chair will be Steven Lipner, executive director of The Software Assurance Forum for Excellence in Code (SAFECode). The Board plans to hold its next meeting in March 2019.
[1] Dep’t of Commerce, NIST, Information Security and Privacy Advisory Board Charter (2018), https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/ispab-charter-may2018.pdf.
[2] Dep’t of Commerce, DRAFT NIST Interagency Report 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, 1 (2018).