NIST asks for industry input on data encryption use

Agency moves ahead with implementing President Obama's executive order

Encryption of data, whether on mobile devices, networks or data centers, is a key security step that enterprises can take to prevent breaches of sensitive corporate information as well as personal information of customers.

That is why the National Institute of Technology and Standards is asking the private industry to provide information on how enterprises are using encryption to protect data and how they are protecting, storing and managing encryption keys.

In addition, NIST is seeking private industry input on how enterprises are identifying and managing assets that require protection and what security engineering practices they use.

NIST has been tasked with implementing President Barack Obama's executive order that seeks to develop and implement voluntary standards and best practices to improve the security of networks, computer and data at critical infrastructure firms.

The order directs NIST to work with industry groups to develop a voluntary cybersecurity framework to improve security, while maintaining a technology-neutral stance on security products and services. NIST will hold workshops over the next few months to collect additional input and expects to complete the framework within a year.

In his State of the Union address delivered on Tuesday night, President Obama said: "I signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy. But now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis."

Wasting no time, Rep. Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.) reintroduced on Wednesday the Cyber Intelligence Sharing and Protection Act that would expand the sharing of cyber threat information between the government and private industries. It would also provide liability protection for companies sharing threat information. Unlike the executive order, CISPA does not contain guidelines or requirements for private companies to improve their cybersecurity.

The House Intelligence Committee, which Rogers chairs, held a hearing on the bill Thursday morning during which the bill's sponsors tried to defend CISPA against charges by privacy advocates that the bill would enable national security agencies to collect personal information on American citizens.

"Our bill provides positive authority to the government to provide classified cyber threat information to the private sector, and knocks down the barriers that impede cyber threat information sharing among private sector companies, and between private sector companies and the government. It does all this with strong restrictions and safeguards to protect the privacy and civil liberties of Americans," Rogers said in this opening statement.

The battle over cybersecurity that consumed so much executive and congressional attention over the last couple of years has been resumed. Hopefully, the results will be more productive than the stalemate in the last session of Congress.

For more:
- read the NIST announcement
- see President Obama's executive order
- check out the House Intelligence Committee hearing
- see the CISPA 2013 bill

Related Articles:
President Obama issues executive order for critical infrastructure firms
EU considering mandatory network and information security directive