Is a lack of direction and bad advice putting Telecommunications, ISP and Broadband Providers at Risk?

Is a lack of direction and bad advice putting. Telecommunications, ISP and Broadband Providers at Risk?

by Jay Harmon

Here in the United States, telecommunications/ISP/broadband service providers are readying their organizations to certify they have implemented a NIST CSF (Cybersecurity Framework) and a Supply Chain Risk Management program within their organizations to take part in the FCC’s Enhanced ACAM program no later than 2 January 2024.  

Again, in the summer/fall of 2024, these industries providers will attest to the same NIST CSF and supply chain requirements to receive funding through the BEAD grant (Broadband Equity Access and Deployment Program) which stands for $42.5 Billion in funding opportunities for States, Tribes, and Territories. That is serious money for a great cause.

As one can imagine, there has been a flurry of activity surrounding these programs and their associated requirements. The E-ACAM program (administered by the FCC) and the BEAD Grant (directed by the Department of Commerce, NTIA and administered through State Broadband offices or agencies) have been quiet about supplying direction. It is still unclear as to their expectations or interpretation of what an acceptable program will look like when an organization attests or certifies that their program “reflects NIST CSF and IR8276/800.161.”

At this point, the telecommunications providers must interpret for themselves what they are attesting or certifying to. This is understandable because NIST CSF is a voluntary program and designed to be flexible so that organizations can tailor the program to their unique needs.

Except that it is not voluntary in this case – The contract for accepting E-ACAM and BEAD funding requires NIST CSF be implemented by providers prior to the acceptance of funds.

Unfortunately, this gives way to “security by intuition of the uninformed” resulting in immature and ineffective programs. Due to a lack of direction, a lack of awareness and understanding, and a chorus of voices filling the air, in essence saying these two U.S. Government agencies don’t really obligate you to do anything.

My team and I have heard statements like “document what you do today, that’s all you have to do to be defensible”.
Defensible how?

In court?

Against the DOJ Cybercrime Task Force?

Against a nation state threat actor?

Who are we worried about defending ourselves too/against?

Or another statement we’ve been hearing is “buy my tool(s) and use my service and “we can make you “compliant” for very little investment, of either funds, resources or effort, and in no time at all”.

Is this advice misguided, misinformed, or just missing the point?

Humans love the path of least resistance. The easy button. The problem with this should be obvious in a digitally interconnected world. The path of least resistance leads right into your unprotected infrastructure.

We at BorderHawk have a saying: The Digital World Punishes the Passive™