• Request for Public Comment by National Institute of Standards and Technology: An Opportunity for Government Contractors to Reflect on Best Practices for Cybersecurity
  • September 17, 2014 | Author: Karla J. Soloria
  • Law Firm: Kaufman & Canoles A Professional Corporation - Norfolk Office
  • The National Institute of Standards and Technology (NIST) announced on August 25, 2014 that it is seeking public comment about awareness and implementation of the Framework for Improving Critical Infrastructure Cybersecurity (the Framework). 79 Fed. Reg. 50891 (Aug. 26, 2014). Created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure through the management of cybersecurity-related risk.

    The Framework, released earlier this year, has its roots in Executive Order 13636 (EO), aimed at enhancing protection of the country’s critical infrastructure. The EO defined the term critical infrastructure to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

    NIST’s call for public comment about implementation of the Framework offers an opportunity for government contractors to assess whether they have implemented best practices for identifying, preventing, and responding to cyber risks. Although the Framework has not yet been added to the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) as mandatory requirements, government contractors would be wise to take steps now to ensure they are in line with industry standards for cybersecurity, using the Framework as a valuable guide. This is especially true in light of recent regulatory developments regarding government contractors’ information systems, such as the proposed FAR Rule on Safeguarding Contractor Information Systems and the DFARS Rule on Unclassified Controlled Technical Information.