United States: NIST Issues Preliminary Cybersecurity Framework For Critical Infrastructure: Solicits Comment

Cybersecurity

On October 23, 2013, the National Institute of Standards and Technology ("NIST") released the long-awaited draft of its Cybersecurity Framework, intended to help "critical infrastructure" organizations improve their IT and data security programs and policies. The NIST Framework is a work-in-progress and is subject to a 45-day period of public comment that ends on December 13, 2013. Unlike "comment periods" that exist in name only, the NIST is required by President Obama's February 2013 Executive Order to work with stakeholders to develop the Framework and subsequent standards. As a result, industry leaders have a unique opportunity to impact the final product and define the standards that will ultimately govern the critical infrastructure industry.

Organizations considered "critical infrastructure," such as those in the energy sector, finance and banking, healthcare, transportation, telecommunications, defense, and utilities, should take advantage of the comment period to review the proposed Framework and submit recommendations for proposed changes to the NIST. It is also advisable for organizations to conduct a gap analysis of their own cybersecurity, privacy, and data governance programs to identify areas in compliance with the NIST Framework and those areas needing improvement.

Following the review period, NIST will incorporate changes recommended by stakeholders before releasing the final version of the standards in February 2014. The NIST has stressed the standards will—at this time—be voluntary and are not a one-size-fits-all solution. "Because each organization's risk is unique...the implementation of the standards will vary," said the NIST. The standards are also intended to complement and not replace an organization's existing cybersecurity risk management programs. The goal of the NIST by implementing the standards is to help improve existing cybersecurity protocols and to create a reference for establishing new programs.

The NIST cybersecurity standards are an outgrowth of the Executive Order issued by President Obama in February of this year. The Order called for the development of a Cybersecurity Framework for managing cyber risks within critical infrastructure sectors. According to the NIST, the Framework is intended to be "prioritized, flexible, repeatable, performance-based, and cost-effective." NIST developed the cybersecurity standards, in coordination with industry leaders, to serve as "best practices" for companies in sectors such as power, telecommunications, transportation, financial services, and energy. In an effort to build support and cooperation, the standards will be voluntary (for now) and do not mandate specific security controls. Rather, they are intended to provide specific guidance for detecting and responding to attacks, mitigating the fallout from cyber incidents, and for managing overall cyber risks.

While subject to change, at a high level, the standards provide a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; and 5) foster communications among internal and external stakeholders. Rather than introduce new protocols or technology, the Framework relies on existing standards, guidance, and best practices to build a foundation for managing a cybersecurity program.

The Framework is a risk-based approach composed of the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a compilation of standards intended to foster the communication of cybersecurity risks across an entire organization from the most senior executive to front line IT personnel. In contrast, the Framework Profile is, in essence, a snapshot of a company's current security readiness, which can be used to track progress in implementing comprehensive security protocols. Somewhat more ambiguous, the Framework Implementation Tiers seek to describe how a specific organization manages its cybersecurity risks. For example, companies will be categorized by "tiers" that reflect certain organizational characteristics towards cyber readiness, such as "risk aware" or "adaptive."

Although the current draft does not deviate greatly from the earlier draft of the Framework, it would be prudent for organizations to become familiar with the Framework. Government regulators and parties to a litigation or dispute tend to look to industry standards when judging whether a company's conduct was appropriate. In this regard, the NIST Framework is likely to be the measuring stick against which the critical infrastructure industries cybersecurity efforts are judged.

The NIST Cybersecurity Framework can be found http://www.nist.gov/itl/cyberframework.cfm.

Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.