FirstNet sets bar high for cybersecurity while pursuing ambitious timeline
Of course, the cybersecurity approach will be a key component of the RFP, but it was not part of the draft RFP released in the spring. Instead, FirstNet will release a special notice this month seeking input on the cybersecurity approach and conduct a proceeding to solicit input about the requirements that should be proposed.
Zimmerman said all of the right things, such as communicating the notion that FirstNet officials do not believe that simply adhering to all of the steps in an existing cybersecurity manual means the network actually is secure. FirstNet wants a cybersecurity framework that will enable secure operations for the long haul, and Zimmerman indicated that FirstNet is particularly interested in “innovations” that will “essentially rock the cyber world.”
On its own, this is an excellent vision: get the best input possible from all stakeholders and devise a terrific long-term solution. This strategy makes perfect sense, although it still promises to be extremely difficult, even with an unlimited amount of time—after all, we’re talking about trying to address a cybersecurity problem that no one else seems to be able to solve. And the FIrstNet system needs to be able to accept data from existing networks that likely will not be as secure.
Making this challenge tougher is the fact that FirstNet needs to issue an RFP within four months, and bidders are expected to provide their responses—with a cybersecurity solution included—within 10 months, based on the information shared during the Industry Day event.
As someone sitting in the cheap seats with no cybersecurity expertise, this seems like an extremely ambitious timeline—and it may be that Zimmerman and his team already have an approach in mind and know vendors that can make it happen. If not, developing a truly innovative cybersecurity strategy in this timeframe sounds like a huge challenge, particularly when you consider the amount of time it would take to test something new to ensure that (1) it is secure, and (2) that is it is usable in an emergency-response scenario.
Both Zimmerman and Kennedy have noted that FirstNet has the advantage of designing the network with cybersecurity in mind, something that breached networks have not done in the past—cybersecurity was an afterthought in these systems, not a priority as the systems were being created. Instinctively, this makes sense, but I do not have the expertise to determine exactly how helpful this could be.