Beyond the IT Checklist: Engineering a Reasonable Standard of Care for Cyber Safety
摘要
Current U.S. cyber policy, centered on security, often treats documentation of controls and incident reports as a proxy for safety in the built environment. This paper argues that such an approach is inadequate for cyber-physical systems, where digital failures can produce kinetic harm. We construct and code a corpus of critical infrastructure policy documents (N=292, 2000-2025) to examine how "reasonable care" is operationalized across the NIST SP 800-160 Vol.~2 resilience lifecycle. The resulting maps show that obligations are concentrated in the Anticipate phase and emphasize administrative compliance, while Withstand and Recover phases rely heavily on delegated references to IT-focused control catalogs that are poorly aligned with physics-based hazards. We identify three major disconnects: miscalibrated delegated standards, recovery defined as notification rather than engineered navigation, and uneven adaptation requirements across sectors. We then propose a modernized standard of care anchored in hazard-specific traceability, structured assurance cases, and cyber resiliency engineering. Finally, we recommend that federal policy pair these engineering obligations with targeted incentives so that resilient architectures for critical infrastructure become a viable business decision rather than an unfunded expectation.
正文
Current U.S. cyber policy, centered on security, often treats documentation of controls and incident reports as a proxy for safety in the built environment. This paper argues that such an approach is inadequate for cyber-physical systems, where digital failures can produce kinetic harm. We construct and code a corpus of critical infrastructure policy documents (N=292, 2000-2025) to examine how "reasonable care" is operationalized across the NIST SP 800-160 Vol.~2 resilience lifecycle. The resulting maps show that obligations are concentrated in the Anticipate phase and emphasize administrative compliance, while Withstand and Recover phases rely heavily on delegated references to IT-focused control catalogs that are poorly aligned with physics-based hazards. We identify three major disconnects: miscalibrated delegated standards, recovery defined as notification rather than engineered navigation, and uneven adaptation requirements across sectors. We then propose a modernized standard of care anchored in hazard-specific traceability, structured assurance cases, and cyber resiliency engineering. Finally, we recommend that federal policy pair these engineering obligations with targeted incentives so that resilient architectures for critical infrastructure become a viable business decision rather than an unfunded expectation. Authors: Matthew E. Jablonski, Linton Wells, Kathryn B. Laskey, F. Brett Berlin Categories: cs.CR PDF: https://arxiv.org/pdf/2606.13612v1 Comment: 6 pages, 2 figures, Accepted for publication and presentation the Cyber Safety Summit, Washington, D.C., 2026
标签
- category:cs.cr
- primary_category:cs.cr
- source:arxiv
- type:paper
扩展字段
{
"arxiv_id": "2606.13612v1",
"authors": [
"Matthew E. Jablonski",
"Linton Wells",
"Kathryn B. Laskey",
"F. Brett Berlin"
],
"categories": [
"cs.CR"
],
"comment": "6 pages, 2 figures, Accepted for publication and presentation the Cyber Safety Summit, Washington, D.C., 2026",
"doi": null,
"entry_id": "https://arxiv.org/abs/2606.13612v1",
"pdf_url": "https://arxiv.org/pdf/2606.13612v1",
"primary_category": "cs.CR",
"search_query": "cat:cs.CR",
"updated_at": "2026-06-11T17:25:07+00:00"
}