MITRE’s data-driven response to a White House inquiry requesting input into harmonizing cybersecurity regulations for critical infrastructure.
What’s the issue? “Strategic Objective 1.1 of the National Cybersecurity Strategy recognizes that while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. The Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford to achieve security.”
What did we do? The Center for Data-Driven Policy led a cross-MITRE analysis of the Office of the National Cyber Director's posed questions, seeking to uncover data and evidence (from our work in the public interest) that would help the White House understand opportunities and develop plans that are evidence-based, actionable, and effective.
What did we find? MITRE recommends that potential new, and/or refinements to existing, cybersecurity regulations not specify technical requirements or implementation details for critical infrastructure (CI) owners/operators or the industry vendors/providers that support them. Specifying such details would further complicate continuous regulation harmonization, and updates would likely not keep up with the rapidly evolving cybersecurity landscape.
Instead, we recommend regulations and/or administration guidance focus on providing Sector Risk Management Agencies (SRMAs) with additional direction on how to shift the focus from compliance checking to strengthening the mechanisms needed by CI owners/operators and the vendors/providers that support them to produce meaningful improvements and more consistent outcomes.