Feds, US Businesses to Link Arms on Cybersecurity
The ever-changing and ever-expanding quest to keep information technology systems secure requires collaboration and coordination among government and business enterprises. To foster such joint efforts, the National Institute of Standards and Technology has put out the word to U.S. businesses to propose ideas and literally work side by side with federal counterparts to develop effective cybersecurity programs.
NIST issued a formal call for proposals to the business community last month. The National Cybersecurity Center of Excellence, which NIST established earlier this year, is operating the program. The agency received US$10 million in its 2012 budget to operate the center. Its mission is to bring together experts from industry, government, and academia to develop practical, interoperable cybersecurity approaches that address the everyday needs of complex information technology management.
Call for Proposals
The invitation for proposals, which resulted from a meeting of interested groups this summer, provides the first detailed glimpse into how NIST plans to implement the program.
"The proposal notice is one step in our overall effort to launch the center," said Donna Dodson, acting director of the National Cybersecurity Center of Excellence.
"Building on NIST's core capabilities in scientific research, applied research and technology transfer, the center will help businesses use realistic, proven cybersecurity solutions that solve challenges across market segments," she told the E-Commerce Times.
Companies interested in participating in the program must submit proposals that indicate the following:
- that the proposed collaboration is feasible;
- that it is relevant to the center's mission to foster the rapid adoption and broad deployment of integrated cybersecurity tools and techniques that enhance consumer confidence in U.S. information systems; and
- that the project has the potential to advance the state of cybersecurity practice.
In addition to meeting broad selection criteria, business participants in the program will be required to have their employees physically work on site at NIST's campus in Maryland, just outside of Washington, D.C.
By co-locating at the facility, business collaborators are expected to contribute to the development of the intellectual and physical infrastructure needed to support joint efforts among NIST and many sources of security capabilities -- including users and vendors of products and services -- on comprehensive approaches to resolve cybersecurity challenges.
"One of the differentiating aspects of the center is that in addition to being a collaborative environment, it's an actual collaborative facility. What makes the center unique is that we pull back the curtain and open the doors. We bring real people -- particularly from the private sector -- inside to work together to find real solutions for existing problems," Dodson said.
"We expect our use case contributors to be on site for days, weeks and months -- whatever the project requires. Vendors will bring their personal expertise and unique knowledge to a setting where they can partner with peers and NIST researchers with a unified goal to solve a particular problem," she added.
The research approach will be addressed through individual use cases, a standard tool used by software engineers to define specific function requirements of a system from the point of view of a user trying to accomplish a specific task. The cases will incorporate the IT security needs of specific sectors such as healthcare, finance and utilities. NIST expects that the center will be capable of supporting multiple simultaneous cases in various stages.
Shared Resources and Results
Results from developing successful solutions for a use case will be shared publicly, but with some protections for participants, Dodson noted.
"Developments emerging from the center will indeed become available to the public. The purpose of the program is to bring firms together to insure promulgation of cybersecurity solutions that both strongly protect organizations against threats and effectively meet business needs," she explained.
"All firms participating in the center will do so as a part of a community of interest working to further cross-industry standards and solutions without the need for divulging firm-specific intellectual property, approaches, or other confidential internal matters," Dodson added.
"That approach to information sharing is beneficial in the sense that it will provide the ability for broad adoption of solutions versus limited specific applications," Terry Roberts, cyber council chair at the Intelligence and National Security Alliance (INSA), told the E-Commerce Times.
Research agreements will be based upon the statutory technology transfer authorities available to NIST, including the Federal Technology Transfer Act. Each agreement will be between NIST and a U.S. company, likely for a period of three years, with renewal subject to mutual agreement. Companies whose proposed collaborations meet NIST's criteria will be invited to participate in a formal cooperative research and development agreement (CRADA).
While there is no express deadline for vendors and other commercial sector enterprises to submit proposals, sooner is better than later. At some point, NIST said, it may determine that expressions of interest will no longer be accepted.
Rather than circulate information about the program through a sources-sought procurement vehicle, NIST chose to post a notice in the Oct. 19 Federal Register.
"The Register has wide distribution, which puts the announcement in the hands of many different stakeholders, so it is an ideal vehicle for initial efforts to get the word out," said Dodson.
We're also using social media through Facebook, Twitter (#NCCoE), and live webcasting. We've already noted some initial success using these methods and will expand our social media presence in the coming months," she noted.
The center of excellence concept should prove to be a workable vehicle for research, said INSA's Roberts. "This is a good way to jump-start innovation in the cybersecurity space."
The NIST contact for the program is Karen Waltermire at NCCoE@nist.gov.