October is Cybersecurity Awareness Month

Has your organization developed a plan to manage your cybersecurity risks?

Article provided by CBAN Associate Member Consortia Consulting

By now, most organizations understand they need a cybersecurity risk management plan which provides an informed basis for identifying and assessing their cybersecurity risks and putting in place safeguards to either eliminate or at least mitigate such risks, but the process of developing what can be viewed as a comprehensive and effective cybersecurity risk management plan is viewed as too difficult.  Many organizations are simply unsure of how to even begin the process of evaluating cybersecurity status or “profile” and implementing safeguards intended to guard against cybersecurity threats and attacks.

Across all “Critical Infrastructure Sectors” as defined by the U.S. “Critical Infrastructure and Security Industry” (CISA), including those entities providing broadband services, the starting place is with the National Institute of Standards and Technology and its “Cybersecurity Framework (CSF) 2.0”.  This “Framework” is viewed as a preeminent resource and defines high level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts. The NIST Cybersecurity Framework is intended to not only assist an organization in developing cybersecurity plans and/or programs, but also as a reference that enables organizations to continually evaluate their risk profile and adopt and implement changed or new best practices for mitigating and responding to cybersecurity risks.

According to consultants at Consortia, for those broadband providers that do not yet have a formal cybersecurity risk management plan, taking steps aimed at developing and adopting such a plan should be viewed as a priority.  The FCC and other federal agencies have already imposed regulations requiring the filing of cybersecurity risk management plans in relation to: (1) rural carriers receiving “Enhanced ACAM” universal service support; (2) as a condition on any providers receiving BEAD grants; and (3) as a condition for any entities receiving Digital Equity Grants.  In addition, the FCC, specifically, has also proposed as part of new rules addressing the existing “Emergency Alert System (EAS)” that all providers participating in that System (Cable providers and MVNOPDs) “create, update’, and implement cybersecurity risk management plans.  Given these referenced requirements imposed by the FCC and NTIA and also a recently more active Cybersecurity and Infrastructure Security Agency, it appears reasonable to expect that eventually all broadband providers will be subject to an obligation to file formal cybersecurity plans.
​
For any entities providing broadband services specifically, Consortia Consulting staff is very familiar with the latest version of the NIST Framework (Ver. 2.0) and is offering its assistance with respect to developing cybersecurity plans.  It has developed an in-depth questionnaire that is intended to assist companies in identifying and describing actions or practices that are part of their current cybersecurity risk management “profile” and also aid in the process of incorporating these cybersecurity related actions or practices into a formal risk management plan. 

---