Although the Federal government has made progress in protecting U.S. critical infrastructure through a largely voluntary approach, Federal Chief Information Security Officer (CISO) Chris DeRusha today called for minimum cybersecurity requirements for critical infrastructure.
During a live LinkedIn event today hosted by Zscaler, DeRusha explained that over the past decade, certain critical infrastructure sectors have been regulated more than others, “but it’s not consistent across those 16 sectors – and there’s some work to do there.”
“It’s not sufficiently resilient to ensure and say that we can ensure our national security and public safety,” DeRusha said. “We really need minimum cybersecurity requirements for critical infrastructure.”
“I think how you do that, you need to be cautious in that. It’s going to be a close partnership to move forward with the private sector and municipal owners and operators of the infrastructure, but there are few principles for a framework that, you know, could lead to some new regulations,” he said.
The first principle the Federal CISO shared is that the regulations should have the “lightest touch possible.”
The second, he said, is that baseline regulations need to be harmonized with the sectors’ existing requirements. Reducing the duplication of rules and assessments is critical to this harmonization, DeRusha said.
The third principle, according to DeRusha, is that these baseline regulations are developed in collaboration with industry “so that they’re cost-aware, that they’re based on sound risk management principles, and they’re actually going to get the outcomes that we’re seeking.”
The final principle the Federal CISO shared is that the harmonized baseline requirements will be reciprocated across regulators with jurisdiction over companies “so that we can have a world where the company needs to demonstrate compliance wants.”
“I don’t think you’d hear any of us say that those principles will be easy to achieve. But what we’re saying is: we’ve got to do something new and different,” DeRusha said. “We got to do it with the folks who are running the infrastructure to get it right. And we’re going to do that, and I think that is a new tone.”
“We’re trying to set it out of the gate collaboratively and also sort of making sure that people really understand we’re serious about harmonization,” he continued.
DeRusha said one of the ways the Federal government is making that crystal clear is through the White House’s request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity.
The Office of the National Cyber Director (ONCD) released the RFI on cybersecurity regulatory harmonization and regulatory reciprocity on July 19, seeking input from stakeholders to understand existing challenges with regulatory overlap and inconsistency.
Feedback for the RFI was originally due on Sept. 15, but after only receiving one comment, ONCD has extended the deadline to submit comments to Oct. 31.
“We’re going to be getting a lot of feedback on that, we’re quite sure, in a couple of months, and we’re really looking forward to really deeply going through that and learning how we do this in the right way,” DeRusha said.
The Biden administration’s end goal for the RFI is to create a framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors. The document defines harmonization as “a common set of updated baseline regulatory requirements that would apply across sectors.”
So, once the responses come in for that RFI, what are the White House’s next steps?
“What we’re doing right now is we’re really ensuring we’re well positioned to take all of that feedback, take unstructured data and get it structured, analyze it, and make sure that we’re pooling it and putting in the right place,” DeRusha said. “Doing follow up engagements, you can all anticipate to see.”
Exactly how that framework will come together is “a little bit of a work in progress at the moment,” DeRusha said, adding, “but it’s all being strategized and worked through right now while we have this moment in time of getting the RFI results.”