NIST Issues Critical Infrastructure Cybersecurity Framework: What’s Next?

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released its long-awaited Framework for Improving Critical Infrastructure Cybersecurity.[1]  Mandated by President Obama one year ago in his February 12, 2013 Executive Order 13636[2] and Presidential Directive,[3] the Framework consists of standards, guidelines, and practices to promote the protection of critical US infrastructure.  Developed through a public-private consultative process overseen by NIST, the Framework is designed to provide a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.  While compliance with the Framework is voluntary for the time being, that situation could change, and companies in industries that the Framework addresses should familiarize themselves with its mandate.

Which Industry Sectors Does the Framework Affect?

The 2013 Executive Order defined “critical infrastructure” subject to the Framework as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive listed 16 sectors that are deemed “critical infrastructure,” which encompass much of the economy.  These include communications, informational technology, energy, financial services, healthcare, government institutions, emergency servicers, nuclear and water utilities, food and agriculture, manufacturing, chemical, and national defense-related entities.  The Presidential Directive designates energy and communications systems as “uniquely critical due to the enabling functions they provide across all critical infrastructure sectors.”

Summary of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework consists of three main elements – a Framework Core, Framework Profiles, and Framework Implementation Tiers – to provide guidance to covered organizations:

  • The Framework Core presents five functions – identify, protect, detect, respond and recover – that taken together, according to NIST, “allow an organizations to understand and shape its cybersecurity program.”  The Framework Core also presents industry standards, guidelines, and practices in a manner that allows communication of cybersecurity activities and outcomes across an organization from the executive level to the implementation/operations level.
  • The Framework Implementation Tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the Framework and “range from informal reactive responses to agile and risk-informed.”  The Tiers are designed to provide a context on how an organization views cybersecurity risk and the processes in place to manage that risk.  During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
  • The Framework Profile is a tool that enables organizations to align their cybersecurity activities with business requirements, risk tolerances and resources.  Companies can use the Framework Profile to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.

Building from those standards, guidelines, and practices, the Framework is intended to provide “a common taxonomy and mechanism for organizations” to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state; and
  5. Communicate among internal and external stakeholders about cybersecurity risk.

The Framework Is Voluntary, But…

The NIST has no enforcement authority under Federal law, and adoption of the Cybersecurity Framework is purely voluntary.  Moreover, as the Framework itself states, it is not a “checklist of actions to perform” or “a one-size-fits-all approach” since organizations “have unique risks – different threats, different vulnerabilities, different risk tolerances.”  Rather, acknowledging that many organizations already have in place processes for addressing privacy and civil liberties, the Framework is designed to complement an organization’s existing risk management program, not to replace it.

Nevertheless, companies in critical infrastructure sectors have a variety of reasons to familiarize themselves with the NIST Framework, and to use the Framework to shape their cybersecurity policies and procedures:

  • The Framework May Become The Law.  In its Executive Order, the White House delegated agencies responsible for regulating the security of critical infrastructure to submit a report to the President within 90 days after publication of the NIST Framework that states whether the agencies have clear statutory authority to establish requirements based on the Framework.  If they determine they do not have such authority, such agencies are required to propose prioritized, risk-based, efficient and coordinated actions to mitigate cyber risk.  In addition to this mandate, there are several bills pending in Congress that would give executive agencies expanded authority to address cyber attacks.
  • Incentives.  Pursuant to the Executive Order, Executive Branch agencies have also been exploring the adoption of incentives to encourage companies to adopt the NIST Framework.  These include: measures to foster a more competitive cyber insurance market; preferences for entities seeking federal critical infrastructure grants; technical assistance for entities adopting the Framework; limitations on liability, limited indemnity and higher burdens of proof for owners and operators of critical infrastructure that adopt the Framework; and rate recovery for price-regulated industries.  Most, but not all, of these initiatives would require Congressional action.
  • Potential Safe Harbor.  Even if the NIST Framework remains voluntary, private companies may wish to tailor their cybersecurity practices to Framework guidelines as a potential safe harbor demonstrating that they have exercised a reasonable standard of care in the event of litigation.

What’s Next?

Framework Version 2.0.  NIST has labeled the Cybersecurity Framework as “Version 1.0” and described it as a “living document” that “will continue to be updated and improved as industry provides feedback on implementation.”  To ensure this evolution, NIST will continue to serve in the capacity of “convener and coordinator” at least through Version 2.0 of the Framework, working with critical infrastructure owners and operators.  In the interest of continuous improvement, NIST will receive and consider comments about the Framework informally and conduct workshops until it issues a formal notice of revision to Version 1.0 seeking formal comments.

Framework Roadmap.  Concurrent with the release of the Cybersecurity Framework, NIST has also issued a companion Roadmap[4] that discusses NIST’s next steps with the Framework and identifies key areas of development, alignment and collaboration.  These plans are based on input and feedback already received from stakeholders in the Framework’s development process.

DHS C³ Program.  Also concurrently with the issuance of the Cybersecurity Framework, the Department of Homeland Security has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Framework.  The C³ Program is designed to help sectors and organizations that want to use the Framework by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector. At the time of launch, available resources will primarily consist of DHS programs, which will grow to include cross sector, industry, and state and local resources.

Regulations and Legislation.  As noted above, the 2013 Executive Order requires Executive Branch Agencies, within 90 days after release of the Cybersecurity Framework (May 13) to submit a report to the President that states whether or not the agency has clear authority to establish requirements based on the Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.  If such agencies determine that current regulatory requirements are insufficient, on that date they must propose prioritized, risk-based, efficient and coordinated actions to mitigate cyber risk.

FTC Enforcement Action.  Since 2002, the FTC has settled 50 law enforcement actions against businesses that it alleged did not adequately protect the data privacy of consumers.  Relying on its authority under Section 5 of the Federal Trade Act, governing deceptive and unfair trade practices, the FTC has explained that its approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.  The Commission has made clear that “it does not require perfect security; reasonable security and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.”[5]