Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.

The incentive categories were just made public, and so far include :

• Cybersecurity Insurance
• Grants
• Process Preference
• Liability Limitation
• Streamline Regulations
• Public Recognition
• Rate Recovery
• Cybersecurity Research

Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.

----

URLs

The Hill

http://thehill.com/blogs/hillicon-valley/technology/315795-white-house-publishes-preliminary-list-of-cybersecurity-incentives

White House

http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework

NIST CSF

http://www.nist.gov/itl/cyberframework.cfm

RFP Alert: Security Advisor Sought for New England Utility Commissions

No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:

The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.

The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:

• Background and knowledge of utility sector industrial control system and business operations
• Knowledge and expertise in computer systems security and related physical security issues
• Certified Information Systems Security Professional or similar computer security management certification preferred
• U.S. Government security clearance of “Secret” or higher preferred