|February 19, 2014|
Previously published on February 18, 2014
In February 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” directing the development of a voluntary, risk-based cybersecurity framework. The National Institute of Standards and Technology (NIST), a federal technology agency that works closely with industry, issued a preliminary draft in October 2013 for public comment. NIST then released the official Framework for Improving Critical Infrastructure Cybersecurity on February 10, 2014. It is similar to the preliminary draft but removes Appendix B, the “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program,” which had received mixed industry feedback.
NIST’s final framework explains how to manage cyber risk using shared knowledge developed through public-private collaboration, with specific recommendations applicable to a variety of organizations. The framework instructs organizations on how to assess their current level of cybersecurity, set goals for improvement, and create a plan for implementing these goals through a structured approach, which breaks cybersecurity down to key focus areas.
As a “living” document, the framework will be updated to keep pace with changes in technology, to ensure that the standards address the needs of various sectors, and to encourage consensus. In fact, NIST has already released a roadmap for future developments, which states that the current list of recommendations is not exhaustive, outlines future focus areas, and emphasizes the importance of private sector involvement to push these initiatives. Furthermore, the roadmap suggests that the future governance of the framework may shift to a non-government organization, which may be more capable of working “closely and effectively with international organizations, in light of the importance of aligning cybersecurity standards, guidelines, and practices within the United States and globally.”
Elements of the Framework
The three main elements of the framework are (1) framework core, (2) tiers, and (3) profiles. The framework core lists activities that can be used to achieve certain security outcomes. The core includes suggestions on how to identify, protect, detect, and respond to cyber attacks. The tiers refer to levels of rigor for which organizations implement cybersecurity measures, which in turn help organizations identify where they stand in the four-tier structure and whether they should consider moving to a more rigorous model (e.g., moving from localized to company-wide policies). The profiles help companies identify what programs they currently have implemented (“Current Profile”) and what they need to do to meet additional risk management goals (“Target Profile”).
NIST created its framework to improve cybersecurity for “critical infrastructure.” This is defined in the 2013 Executive Order as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof.” Specific industries that have critical infrastructure include power and utilities, financial services, telecommunications, chemicals, food and agriculture, and healthcare. While these industries may have existing cybersecurity regulations, the framework supplements them by providing examples of how specific goals can be achieved using strategies collected from different sectors.
Although businesses are not required to adopt the NIST framework, careful consideration of the framework is advised. First, proposed federal incentives (cybersecurity insurance, grants, process preference, liability limitations, ability to help streamline regulations, public recognition, rate recovery for price regulated industries, and influence on the direction of government sponsored cybersecurity research) encourage participation overtly. Second, because the framework is likely to affect how business partners think about cybersecurity, it may affect business relations. For instance, the new standards may shape how insurers view data breaches, who may address the framework in commercial contracts. Third, litigants and courts may consider NIST’s recommendations in cybersecurity litigation. Fourth, the framework may eventually become a basis for legislation. Businesses that participate in the framework may therefore have an opportunity to shape the guidelines and determine an appropriate standard before it becomes mandated by law.
Given the potential impacts of the cybersecurity framework, critical infrastructure and other companies should consider the framework with respect to their current policies and programs.