There are two cybersecurity updates.
#1- Development of Comments to Cybersecurity Strategy
First, for ILTA Members, the Office of the National Cyber Director (ONCD) is developing the Biden Administration’s National Cybersecurity Strategy and the Oil and Natural Gas Sector Coordinating Council (ONG SCC) leadership is facilitating the collection of comments on behalf of the ONG SCC. The cybersecurity strategy will nest within and complement the soon-to-be released National Security Strategy. As the ONCD develops the cybersecurity strategy, the Sector Coordinating Councils (SCCs) were invited to provide perspectives, either as a consensus under the Critical Infrastructure Protection Advisory Council (CIPAC) structure or as individual SCC members, on the following topics:
- How the government and industry can better work together and collaborate on cybersecurity challenges;
- The roles, mission, integration, and vision of the various government collaborations centers, such as the Joint Cyber Defense Collaborative (JCDC) and sector-specific collaboration centers;
- How the government can most helpfully and productively engage in cybersecurity regulation and regulation harmonization;
- Any legal or policy impediments to greater public private collaboration; and
- Any other topics that the National Cybersecurity Strategy should address.
The ONG SCC leadership collected industry comments and will continue to accept any information from stakeholders until Monday, July 11. Additionally, the National Security Council has also offered to meet virtually with the SCCs to discuss these questions and receive individual viewpoints and perspectives from participants, and not as a consensus, through July 15, 2022. Please let ILTA staff, Michael Stroud, know if you have any questions or would like to meet with ONCD about the National Cybersecurity Strategy and ILTA can work to arrange a meeting.
#2- Development of DHS and NIST Common Baselines for Cybersecurity for Critical Infrastructure Continue
Second, the ONG SCC is also working with the CIPAC to coordinate cross-sector Common Baseline goals and objectives for cybersecurity to protect critical infrastructure. The CIPAC started its work in fall 2021, with several meetings in early 2022. The ongoing ONG SCC is working to provide insights from ILTA Members and other sector stakeholders to help inform the Common Baseline.
In July 2021, the U.S. Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST) were tasked with developing the preliminary cybersecurity performance goals that will drive adoption of effective practices and controls.
CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals. Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives. These goals represent high-level cybersecurity best practices. They are:
Risk Management and Cybersecurity Governance
Architecture and Design
Configuration and Change Management
System and Data Integrity, Availability, and Confidentiality
Continuous Monitoring and Vulnerability Management
Training and Awareness
Incident Response and Recovery
Supply Chain Risk Management
As part of the continued DHS performance goals process DHS has passed along the “Controls List” document represents the substantive core of the Common Baseline. Also DHS circulated a “review guidance” document, that provides guiding questions to consider as you review the mitigation and goals list as well as an FAQ document. CISA will provide a second package of ancillary content (including introductory content and glossaries) in July.
DHS CISA has set a deadline of August 10, 2022 for submission of feedback and has asked for the Sector Risk Management Agencies (SRMA) to consolidate all input and feedback into a single submission. To allow for compilation of feedback, the ONG SCC has requested that ILTA Members please submit your comments in the attached comment form to Michael Stroud, with ILTA, no later than COB Wednesday, August 3th.
In addition to this review process, CISA will hold three workshops for industry to provide feedback. The goals of these workshops are to ensure that partners have a robust understanding of the purpose and updated content of the Common Baseline mitigation and goal list and to answer any questions.
The workshops are on the following dates, with registration details forthcoming. The public workshop will be publicized via public outreach channels.
• July 13, 2022 (open to sector and cross-sector partners)
• July 20, 2022 (open to the public)
• July 25, 2022 (open to sector and cross-sector partners
Please let Michael Stroud know if you have any questions.