• Commerce Department Releases Cybersecurity Guidelines
  • February 24, 2014 | Author: George A. LeMaistre
  • Law Firm: Jones Walker LLP - Mobile Office
  • The U.S. Department of Commerce on February 12 released voluntary cybersecurity guidelines that are intended as an initial step toward the development of "industry standards and best practices" for use by American business organizations in managing the risks inherent in information technology and in the various activities and operations involved in electronic data generation, compilation, storage, and transmission.

    The Framework for Improving Critical Infrastructure Cybersecurity was issued by the National Institute of Standards and Technology ("NIST"), a non-regulatory agency within the Commerce Department. The agency formulated the Framework, in consultation with representatives from the private sector, under an executive order issued by President Obama in February 2013.

    The Framework is intended to provide standards and practices that can be used by a business to (1) understand and describe its present cybersecurity posture; (2) formulate objectives that can be achieved by use and application of the Framework; (3) identify and prioritize opportunities for improvements in its cybersecurity; (4) assess its progress toward attaining identified objectives; and (5) participate in communication and collaboration among internal and external stakeholders about cybersecurity risk.

    Both of the principal broad-based bank trade associations—the American Bankers Association and the Independent Community Bankers of America—welcomed the government's action. "The framework reflects existing regulations and practices within the financial services sector," said ABA President Frank Keating in a statement, adding: "It also provides important direction to the public sector on improving cybersecurity soundness and ultimately the safety of our nation's critical infrastructure."

    A statement released by the ICBA said that strengthening America's security infrastructure "is a top priority for the nation's community banks," and that the release of the Framework "comes at a crucial time and will help the public and private sectors address these challenges."

    The Framework is denominated "Version 1.0," and, according to an executive summary, it "is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, lessons learned will be integrated into future versions." NIST also released what it called a "Roadmap document," which "discusses NIST's next steps with the Framework and identifies key areas of development, alignment, and collaboration."

    The Framework consists of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.