Earlier this week SIIA submitted comments in response to the proposed implementation of Section 8(e) of Executive Order 13636 – Improving Critical Infrastructure Protection, issued on February 12, 2013. We greatly appreciate the opportunity to provide formal comments to GSA and DOD on this critical section of the Executive Order.
SIIA shares the overall goals of the Administration in developing a cybersecurity framework that improves our ability to protect government information and critical infrastructure from cyber-attacks. In fact, many SIIA members provide products and services that protect businesses, consumers and public sector entities from cyber-attacks, viruses and a wide-range of online security threats. As a result of this experience, these members have a critical voice in the debate on the implementation of Section 8(e) of the Executive Order. While we recognize the importance of the overall goals of the Executive Order we have some significant concerns regarding the potential effects of its implementation as proposed in the RFI.
Most notably, we have an overarching concern that the RFI itself does not accurately reflect the carefully crafted definition of “critical infrastructure” reflected in the Executive Order. Instead the RFI appears to sweep all IT companies or their customers into the same regulatory basket as the most critical systems. This distinction is crucial as not all systems and assets should be required to comply with this level of regulation.
In addition, SIIA expressed concerns in our comments about how the development of a broad cybersecurity framework, an ongoing process at NIST, may impact sector-specific guidance such as what is proposed here for government contractor / acquisition sector. As a result, we have requested that the implementation of Section 8(e) be delayed until NIST cybersecurity framework has been fully developed.
Furthermore, we support the “common criteria” as a globally recognized, effective solution to a rapidly changing IT marketplace, we caution the Administration to avoid establishing any new, overly prescriptive supply chain or software assurance scheme that would establish the Government as a leader in the process of developing technology or the would create a US centric standard, as this would conflict with the proven security regime that has long been the foundation of our national security strategy.
We also point out concerns about how that which is proposed in this Executive Order may impact the consistent, accepted, risk-based government cybersecurity requirements contained in FISMA. Beyond its impact on FISMA, the Executive Order may also overlap with and be redundant to the FedRAMP program, potentially subjecting any Internet-enabled computing services utilized by the government to new baseline security assessments, on top of the existing FISMA and FedRAMP requirements. Not only would this practice be costly, slow, and inefficient, but it could lead to new technology-specific overlays for services that are already being utilized and assessed by the federal government in a technologically-neutral way.
Lastly, we highlight our concerns regarding the potential effect of the rules proposed as a result of the Executive Order on the other major cyber-related requirements, both current and proposed, including those found in the FAR, the DFARS, FISMA and the last two National Defense Authorization Acts.