• A Look Inside NIST's Updated Cybersecurity Framework
  • March 9, 2017 | Authors: Nathan A. Cardon; Tracy P. Marshall; Sheila A. Millar
  • Law Firm: Keller and Heckman LLP - Washington Office
  • Law360

    From ransomware attacks to data breaches at major retailers, health care facilities and other major players in the U.S. and international economy, cyberattacks continue to present serious threats to businesses across the supply chain. The growth of these attacks, and the dramatic increase in the number of connected products and networks, pose even larger threats to consumers, businesses and the infrastructure itself. With an increased focus by regulators on business measures to address cyber risks and prevent data breaches, and the growth of class action lawsuits, managing cybersecurity risks is now a key issue for C-suite executives. The National Institute of Standards and Technology (NIST) continues to offer important guidance for businesses interested in hardening their security measures.

    The NIST Cybersecurity Framework

    The voluntary NIST cybersecurity framework had its roots in former President Barack Obama’s Feb. 12, 2013 executive order, which called for the development of a risk-based, voluntary set of industry standards and best practices related to cybersecurity. The framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies.

    NIST first issued the framework for critical infrastructure in 2014. Since then, the framework has become a key reference point for businesses in managing cybersecurity risks which increasingly touch businesses at all levels. Equally important, the framework is considered by some regulatory authorities to reflect a standard of conduct in responding to cyber threats and risks. This is a good time to review the framework, since NIST released a draft update on Jan. 10, 2017, seeking comments on the revisions. The update provides guidance on previously unclear key terms, a new section on managing supply chain risks, clearer explanation of its tier system, and the introduction of cybersecurity metrics.

    Why is the framework useful to businesses? It focuses on using business drivers to guide cybersecurity activities and advises businesses to consider cybersecurity risks as part of the organization’s risk management processes. NIST’s update, Version 1.1 of the "Framework for Improving Critical Infrastructure Cybersecurity," incorporates feedback and suggestions received since 2014, including input from a December 2015 request for information and comments from attendees of am April 2016 workshop.

    Application of the NIST Principles


    Of course, applicability of specific cybersecurity measures depends on a company’s size, sophistication and use of technology. Regardless of size, the NIST framework can be seen as setting a reference standard of care for managing and responding to cybersecurity risks. Business sectors and companies may want to consider the framework’s systematic approach in developing their own procedures.

    The five core concurrent and continuous functions specified in the original framework are:
    • Identifying risks and key information assets;
    • Protecting the key information identified;
    • Detecting breaches;
    • Responding to those breaches; and
    • Recovering from those breaches.
    These basic principles appear in all data security guidance documents. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

    How the NIST Framework Update Affects the Cybersecurity Landscape

    Organizations need to set priorities for both resources and time. The proposed revisions to the NIST framework include a more detailed set of implementation tiers, which are designed to help businesses assess security priorities according to criticality.

    Supply Chain Management

    In previous comment periods, businesses asked for guidance on cyber supply chain risks, including how to better communicate cybersecurity requirements to stakeholders. The update adds a new section on supply chain risk management which standardizes terms and encourages organizations to develop a systemic approach to managing cyber supply chain risk:

    ... using real-time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization ... via enterprise risk management policies, processes and procedures. Section 2.2, “Framework Implementation Tiers,”443-450

    Clarification of Key Terms

    The update resolves uncertainties over important terms such as authentication, authorization and identity proofing.

    Measuring Cybersecurity

    One of the most important changes is the introduction of metrics, designed to “facilitate decision-making and improve performance and accountability,” and measurements, which are “quantifiable, observable, objective data-supporting metrics.” For example, a metric might be how thoroughly business has secured its databases. A measure could be the percentage of systems in a geographic location that are fully up to date with cybersecurity software.

    Key Takeaways for Business


    According to recent data from prominent security company Kaspersky Labs, the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers. Forty-two percent of small- and medium-sized businesses were hit with ransomware attacks in 2015-2016, while individual consumer attacks escalated from one every 20 seconds to one every 10. Now, more than ever, businesses need to show they have taken reasonable steps (given their size and industry) to assess these risks, and to implement appropriate measures to minimize data security risks and cyberthreats.

    With such near-constant risks, identifying frameworks and processes to assess, implement, and reassess security solutions periodically can be a major challenge for businesses. The framework is a good place to start. As NIST points out, the framework “is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks - different threats, different vulnerabilities, different risk tolerances - and how they implement the practices in the framework will vary.”

    While the framework is voluntary, its influence is increasing. It has been widely adopted by businesses. It was also recommended by the U.S. Department of Justice as “excellent guidance on risk management planning and policies and merits” in its 2015 "Best Practices for Victim Response and Reporting of Cyber Incidents." Insurance companies, plaintiffs lawyers and others may also look to the framework as a standard for due diligence, making it important to stay up to date.

    NIST is seeking public comment on the draft update until April 10, 2017. Feedback and comments should be directed to [email protected] As security professionals work to broaden corporate support for cybersecurity and risk avoidance measures, the NIST framework may help. However, those not immersed in the details of cybersecurity may struggle with how to understand the NIST guidance. Businesses may want to consider suggesting in this comment period that the update be written in plain language, or at a minimum include a summary suitable for technical security experts to share with C-suite executives. A plain language summary may help those executives better understand where cybersecurity fits in the corporate risk mix, and how to implement a scalable security risk management process.

    NIST intends to publish a final Framework in the fall of 2017.