A draft appendix was released today to help the First Responder Network Authority (FirstNet) inform its preparation of cybersecurity portions of its final request for proposals (RFP). The draft appendix was referred to in the draft RFP issued in April (TRDaily, April 24 and 27), but it took additional time for FirstNet officials to complete it.

Comments on the document are due Oct. 16. A three-page special notice was also released today with the 25-page draft Appendix C-10. “The cyber security challenges inherent in the development, deployment and operation of the NPSBN require a paradigm shift in how a network of this type is secured and defended,” FirstNet said in the appendix. “FirstNet seeks to create this paradigm shift so that the NPSBN can be appropriately defended.”

“The Nationwide Public Safety Broadband Network (NPSBN) will be unique. FirstNet intends to include a diverse multi-platform user equipment base, more than 60,000 public safety enterprise (PSE) networks, more than 6,800 public safety answering points, a nationwide core network, an applications ecosystem, and a host of radio access networks spanning 56 states and territories. Due to the network’s complexity, the design, deployment, and ongoing operations of the NPSBN will present unique cyber security challenges,” the draft appendix said. “FirstNet seeks cyber security solutions that match the unique and complex nature of the NPSBN’s undertaking.

“Traditional cyber security approaches tend to focus on local and enterprise fixed networks that are connected via physical fiber or cable with the majority of processing and access conducted from fixed locations. While wireless access has become more common, it still only represents a small sub-set of the central network. Moreover, traditional cyber security efforts rely heavily on established, accepted measures of regulation that emphasize compliance rather than actual security,” the document added. “The NPSBN, however, will require a different approach because a simple adoption of today’s standards will not provide the level of mitigation or hardening against cyber threats required by FirstNet and its users.

“This call for a new approach was recently emphasized by several high-profile breaches of both industry and federal government systems, including the widespread compromise of the Office of Personnel Management in which personal information of more than 21.5 million current and former federal employees was stolen; the breach of United Airlines reservation and ticketing systems which revealed traffic patterns of origination and destination for millions of people; the email compromise of Sony Corporation; the hacking incident of the Census Bureau; and the cyber break-in of the USIS (United States Investigative Services), which handles background investigations for federal employee security clearances,” the appendix added.

FirstNet added that “in the compliance driven world of the Federal Information Security Management Act (FISMA) and its commercial equivalent … guidance doesn’t focus on actual security but rather the generation of detailed reports. The burdensome nature of this approach drains thousands of man-hours from organizations yet fails to address in a systematic or holistic view the real cyber security concerns of the owning organizations. … Security needs to be functionally and operationally focused in order to be effective and responsive. This can only be achieved if security is intrinsic to the design and implementation of every aspect of the network and data environment from inception. This is the goal and approach to be employed by FirstNet.”

The document continued, “Public safety users have two needs that often compete with each other. They must have instantaneous communications and the communications must be secure. A cyber security solution that establishes a secure network at the cost of delays or needless hindrances is not workable, and neither is a solution that permits immediate access but fails to adequately secure data. FirstNet seeks cyber security approaches that will prioritize effectiveness while ensuring that communications are not hampered. Thus, FirstNet’s NPSBN cyber security efforts will be guided by three key principles: confidentiality, integrity, and availability. The NPSBN must be able to address cyber security from an end-to-end perspective within a changing geographic and mission base while also addressing routine and urgent operational needs for public safety entities.”

The appendix touches on cybersecurity key concepts, architecture, lifecycle, guidance, systems engineering, risk management, incident response and security operations, continuous monitoring and mitigation methodology, testing and certification, network management and configuration management, environmental and physical security, and information security and data sensitivity. – Paul Kirby, paul.kirby@wolterskluwer.com

Courtesy TRDaily