NIST Says: Identify, Protect, Detect, Respond, Recover
It has been a year-plus since President Biden signed the Bipartisan Infrastructure Law (PL 117-58) dedicating funds to ensure every American has access to high-speed Internet. Of this massive investment, $42.45 billion was allocated to the NTIA Broadband, Equity, Access, and Deployment (BEAD) program. The BEAD program allocates funds to all 50 states and six territories to enable them to bridge the digital divide through the development of state grant programs.
The BEAD program has a long timeline. Last summer, all 50 states and six territories asked for planning funds, and awards have been rolling out since last fall. These initial funds are meant to help states determine the unserved and underserved areas in their territory, build up their broadband offices, and conduct intensive community surveying. At Learn Design Apply, Inc. (LDA), we have a common refrain—while the states plan, you plan.
Already, many states have been considering the rules and regulations they will implement for their BEAD-funded grant programs. While we can’t know all the specifics, we do know some. The BEAD Notice of Funding Opportunity outlines certain rules that states must require of their subgrantees (the grant applicants). Tucked into the middle of the 98-page guidance are two crucial components—cybersecurity and cyber supply chain risk management.
The High-Level Low-Down
To receive BEAD grant funds, each sub-recipient must attest that:
- There is an operational or ready to be operational cybersecurity plan.
- The plan reflects the latest version of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
- The plan will be reevaluated on an ongoing basis.
- The plan will be submitted to the state prior to the allocation of funds.
In addition to the above, each sub-recipient must attest that:
- There is a supply chain risk management plan that is operational or ready to be operational.
- The plan is based on key practices outlined by NIST and specifies the supply chain risk management controls that are implemented.
- The plan will be reevaluated on an ongoing basis.
- The plan will be submitted to the state prior to the allocation of funds.
“…it’s time to read the NIST framework. While it seems overwhelming, it is important to review all of it, down to the 108 subcategories. Keep in mind the fierce competition for BEAD funds—the more your plan adheres to the framework, the better your chances of success.”
NIST and Why We Care
The National Institute of Standards and Technology (NIST) has been a federal agency since 1901 and is currently a part of the Department of Commerce. As the name indicates, NIST is charged with creating the measurements and standards used in science and technological innovation. When it comes to BEAD, not only does this agency perform the pre-award risk assessments for NTIA grants and handle the grant award management, their published frameworks and articles serve as the basis for grant requirements.
Many established and new companies may have cybersecurity plans in place already. This is an excellent practice given that one source, Check Point Research, revealed cyberattacks increased 38% from 2021 to 2022, with a prediction that 2023 may see similar or worse numbers. Ransom demands have skyrocketed; and both large and small companies, public and private, are targets. As the risk rises, it behooves every organization to revisit any cybersecurity plans to assess their alignment with the NIST framework. For those without a plan, it’s time to create one.
Framework Nuts and Bolts
The NIST framework is on version 1.1, with version 2.0 predicted to be released late in 2024. The BEAD NOFO directs subrecipients to have a cybersecurity plan that reflects the most current version. Our prediction is that 2.0 will provide refinements and address new challenges. The nuts and bolts that hold the framework together will remain the same—meaning, the current framework is still a great guide. It is loose enough to fit a variety of organizations and industries while rigid enough to direct you through the creation of a cybersecurity plan or assess and revise the one you currently have.
The framework is organized by five key components: Identify, Protect, Detect, Respond, Recover.
- Identify: Your cybersecurity plan should do more than identify the hardware and software that your company uses. Identification means determining your critical processes—business activities, including collecting customer data or receiving payments—are absolutely vital for you to remain functional. Identification also includes documenting how information flows in your company, determining the threats, vulnerabilities, and risks you face, and establishing clear policies and roles for your cybersecurity activities.
- Protect: Consider and document in your plan how you protect your organization. A robust cybersecurity plan has safeguards in place for the devices your organization uses, but also fewer tangible things. The protection part of your plan should outline how you backup your data, how you protect sensitive data, and how you manage access to data by different employees. You should outline any cyber insurance policies you hold. Equally as important is describing how you train your employees. According to an IBM study, 95% of cybersecurity breaches are caused by human error. Your plan should outline the steps you take to combat this statistic.
- Detect: While we may do our best to protect, cyberattacks happen, and detecting them quickly is critical to mitigate harm. Your cybersecurity plan should discuss your detection processes, software, and practices. Include an outline of your testing procedures, their frequency, and the tracking of anomalies in your system. By working through the Identify and Protect part of your plan, you will have documented your company’s baseline data flows, which will make it easier to detect anomalies.
- Respond: What do you do when your organization experiences a cyberattack? Your cybersecurity plan should outline each action taken in the event of a breach. Not only should you outline the internal responses and actions, but also information on external communication. Consider legal reporting requirements and which stakeholders must be contacted. NIST suggests testing your plan to make sure all players know their role and to spot areas for improvement.
- Recover: Your cybersecurity plan should outline how you recover from an attack. Include the activities required to repair damages and how you can be resilient moving forward. An important consideration in recovery is public relations—how do you maintain your organization’s reputation in the event of a cyber breach? What other communication should take place, and how will it be handled? These considerations will guide you through your recovery and help you avoid reactionary responses that may exacerbate the crisis.
The nuts and bolts outlined here are a great starting point for your cybersecurity plans. Next, it’s time to read the NIST framework. While it seems overwhelming, it is important to review all of it, down to the 108 subcategories. Keep in mind the fierce competition for BEAD funds—the more your plan adheres to the framework, the better your chances of success.
What About Supply Chain?
The BEAD supply chain requirements do not refer to the physical components of your network (though I encourage you to address your plans to combat those shortages in your grant narrative). Rather, this requirement looks at the cyber supply chain—the organizations, technologies, hardware and software that your company uses and connects to. According to a NIST study, 59% of companies experience a data breach caused by one of their third parties.
Your cybersecurity plan may already address Cyber Supply Chain Risk Management (C-SCRM), or you may be planning to include it in one you create. While the BEAD guidance calls out C-SCRM separately from the cybersecurity plan, you may combine them into one document. LDA predicts the NIST framework 2.0 will address C-SCRM in more detail, so incorporating it into your overall plan now will put you ahead of the curve.
Whether it is a separate document or embedded in your cybersecurity plan, your C-SCRM plan should describe what your supply chain is, what cybersecurity practices your suppliers use, what cybersecurity criteria you require for new suppliers, and what supplier communication plans you have in place in the event of a breach. In addition, consider how you will ensure business continuity if a supplier has a cyberattack, what security controls you have in place for suppliers, and what data your suppliers may have from your organization. Open, transparent discussions with your suppliers will be required for this. Doing this early will also foster a better working relationship with them.
Do the Homework
Plain and simple—you cannot receive a BEAD funded grant if you do not have a cybersecurity plan that aligns with the NIST framework complete with a C-SCRM plan. Drafting these plans will take time and involve multiple individuals, so don’t put this off to the last minute. We estimate that creating a plan from scratch can take upwards of 50 hours for a small company. The larger the organization, the longer it will take. Use your time wisely and ensure your company is cybersecurity ready for BEAD funds.
