In our recent OODA Loop Stratigame – Scenario Planning for Global Computer Chip Supply Chain Disruption – in all four scenarios we determined:

1) Public-private partnership in the cybersecurity marketplace, including collaborative innovation in the establishment of industry-wide frameworks and standards, will be crucial; and

2) Cybersecurity innovation at the physical layer–especially security innovation in the creation of a point-to-point trusted, global IT supply chain, including the establishment of the provenance and tracking of trusted semiconductors for national security applications–will need to happen no matter what the semiconductor global supply chain future holds.

Organizations like the Institute of Electrical and Electronics Engineers (IEEE) and The National Institute of Standards and Technology (NIST) will figure prominently in such efforts at innovation, framework development, and standardization. It is now up to the private sector to meet these standardization organizations in the middle – and that means scanning the horizon for worthwhile government cybersecurity efforts which make sense for your company’s design innovation process, business models, and ideas around value creation and capture.

To start, there is plenty of activity over at NIST related to cybersecurity worth a review.

NIST Cybersecurity Framework

It is time to revisit the framework offering from NIST.  In the way of an indirect endorsement of the NIST cybersecurity technical framework, in our recent analysis of the Google Cybersecurity Action Team’s first cloud threat intelligence report, we discovered that the entire Google Cloud cybersecurity initiative is aligned with the NIST Cybersecurity Framework.

Due to the size and scale of Google network traffic, it is instructional that they have chosen to collaborate with a government standardization effort.  OODA Loop is in a formative phase of research and reaching out to the OODA Network to garner their most recent experience with this framework, but we are confident enough at this point to encourage our readership to start to evaluate it and its applicability to your business and cybersecurity issues. The framework was created and remains voluntary for the private sector-based Executive Orders issued in 2013,  2014, and 2015.

All government agencies have been required to implement the framework since 2017, based on an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency’s action plan to implement the Framework.”

One stone we can turn for you right now is that NIST and DHS have addressed any confusion and questions about the relationship between the NIST Cybersecurity Framework and the DHS Cyber Resilience Review, which can be found on the DHS website.  In the FAQ’s section of the framework website (which is remarkably accessible and easy to use  – with plenty of resources in a variety of formats) the Relationship Between the Framework and Other Approaches and Initiatives is addressed in detail, including a discussion of threat frameworks including the U.S. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework (CTF), Lockheed Martin’s Cyber Kill Chain®, and the Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model.

If you are looking for use cases to apply to your business model see the on-demand past events where NIST personnel have provided framework information and perspectives.  Please reach out to OODA Loop if you have a unique perspective on or use case with the NIST Cybersecurity Framework.

The Cybersecurity Physical Layer Matters

Consistent with the OODA Loop Stratigame findings mentioned above,  the NIST National Cybersecurity Center of Excellence (NCCoE) is also generating reports about “Hardware-Enabled Security and Trusted Cloud” and has recently released three new draft reports for public comment.  The three new draft reports are:

• 2^nd Draft NIST Internal Report (IR) 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases, examines hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.
• Draft NIST IR 8320B, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms, explains an approach for safeguarding container deployments in multi-tenant cloud environments, as well as a prototype implementation of the approach.
• Draft NIST Special Publication (SP) 1800-19, Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, describes an example solution for using trusted compute pools leveraging hardware roots of trust to monitor, track, apply, and enforce security and privacy policies on cloud workloads.

The public comment period for these drafts is open through December 6, 2021. See the publication details for copies of the drafts and instructions for submitting comments.

The NICE Framework:  Building a Better Cybersecurity Workforce

The NIST National Initiative for Cybersecurity Education (NICE) program came to our attention as a co-sponsor with OODA Loop of the US Cyber Games, which recently announced the first-ever U.S. Cyber Team announced to compete in Athens at the ICC in June 2022.  OODA Network member Jessica Gulick of Katzcy was integral in the success of the Cyber Games and remains a collaborator with NIST NICE.

Workforce development will be crucial for the development of the cybersecurity market to meet the cyber threats ahead.  Your organization should stay in the know on NICE workforce development initiatives, including these upcoming events:

The Federal Cybersecurity Workforce Summit and Webinar Series:  The Summit and the webinar series will be virtual.   Webinar Series: January 25, 2022, 1:30-3:00 p.m. EST  2022 Federal Cybersecurity Workforce Summit: April 26, 2022

NIST National Cybersecurity Center of Excellence (NCCoE) –  Website Optimized for Public Sector Collaboration

According to the redesigned and recently relaunched website, NCCoE has “reorganized its comprehensive cybersecurity guidance…streamlined [the] navigation structure… simplified our content structure and expanded our search filters.”   The architecture of the site is organized for business leaders, think tanks, and academic researchers to readily access the following communities of practice at the NCCoE:

Join a Community of Interest (COI):  The NCCoE relies on public and private sector communities of interest to share business insights, technical expertise, challenges, and perspectives to guide our projects and help us advocate for strong cybersecurity. You can participate as much or as little as you would like. Most COIs meet virtually on a monthly or quarterly basis and attendance at meetings is voluntary. Your COI might communicate through email channels more often and ask for feedback on topics of interest or draft guidance under development. Regardless, your involvement is voluntary and what you make of it. It’s not uncommon for COI members to present at NCCoE events.

Become a Project Collaborator.  There are a variety of opportunities for getting involved in designing, building, deploying, and documenting standards-based cybersecurity solutions at the National Cybersecurity Center of Excellence. The NCCoE works with members of industry to identify the most pressing cybersecurity challenges and to address technology gaps affecting multiple sectors of the economy.

Share cybersecurity challenges.  The NCCoE encourages you and your organization to reach out and form a direct relationship with them.

Cybersecurity Practical Guide to be Published in 2022

According to NIST, the NCCoE “formed a Zero Trust Architecture Working Group in October, composed of 20 companies that are looking to build and document several builds, so it’s difficult to say when exactly the project will end, according to an agency spokesperson.  A description of the practical steps needed to implement the cyber reference designs for zero-trust security, the guide will be the end result of NIST’s Implementing a Zero Trust Architecture Project.  NIST plans to publish various volumes of its forthcoming Cybersecurity Practice Guide throughout 2022 and beyond.”

NIST also speaks to the big picture surrounding this upcoming publication:  “This public-private partnership enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector technology challenges. Working with technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security— the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution.”

NIST Request for Proposal:  Study To Advance a More Productive Tech Economy

Outside of the cyber realm but of interest as well,  NIST has published a Request for Information (RFI) on emerging technologies entitled:  Study To Advance a More Productive Tech Economy.  The RFI is seeking input about public and private sector marketplace trends, supply chain risks, and legislative, policy, and future investment needs of eight emerging technology areas. The topic areas are artificial intelligence, Internet of Things in manufacturing, quantum computing, blockchain technology, new and advanced materials, unmanned delivery services, Internet of Things, and 3D printing.

NIST has published a Request for Information in the Federal Register today to collect input that will help identify, understand, refine and guide the development of the current and future state of technology in the eight emerging technology areas named above. The information will inform the “Study to Advance a More Productive Tech Economy” that was called for in the American Competitiveness of a More Productive Emerging Tech Economy (COMPETE) Act signed into law in 2020.

Further Resources

For more on cybersecurity and the type of industry challenges NIST is addressing through these various initiatives, see  Cybersecurity Sensemaking | OODA Loop.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast