New cyber framework aimed at small, mid-tier defense companies.

• Author: Magnuson, Stew

A National Institute of Standards and Technology framework intended to help companies and organizations bolster their cybersecurity may have a big impact for small- and mid-tier defense contractors, experts said.

The draft of the cybersecurity framework was released at the end of October, and MST was gathering comments until Dec. 13. Its overarching goal is to set up voluntary information sharing regimes for each of the 16 critical infrastructure sectors identified by the Department of Homeland Security.

The framework is mostly directed at smaller companies and can help them implement standards and follow risk management principles and best practices, said Larry Clinton, president of the Internet Security Affiance. That is particularly true in the defense industrial base, where larger companies are seen as being ahead on cybersecrity.

"In general, these organizations do state-of-the-art cybersecurity. They have tremendous resources in scope and scale--among other things," Clinton said.

However, further down in the supply chain, companies don't have the same financial wherewithal and expertise, he noted.

The Presidential Executive Order--Improving Critical Infrastructure Cyber-security released in February--called for NIST to create the framework. The executive order was a result of a recalcitrant Congress, which has had difficulty passing major bills such as the Cyber Intelligence Sharing and Protection Act.

A lot can be accomplished under the framework and executive order without the need for further legislation, cybersecu-rity executives told National Defense.

The defense and the financial services sectors are seen as two industries that are at the forefront of cybersecurity. Concerned about reports of China-based hacking enterprises stealing vast amounts of intellectual property, the Defense Department initiated the defense industrial base cyber security and information assurance program in 2007.

It was designed to gather reports on network intrusions, scrub the data to ensure the company contributing the information remained anonymous, and then push out reports to other participants. The program, administered by the chief information office, has since expanded, and is now serving as a model for the framework.

The framework includes principles that will reach across all sectors such as risk management, said Tom Conway, director of network security firm McAfee Federal. Companies need to know what assets are most at risk, prioritize, and...