Last week the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its long-anticipated draft “Preliminary Cybersecurity Framework” (PCF). This PCF lays out a proposed framework by which both private and public companies that work with “critical infrastructures” may (i) better evaluate cyber-risk, (ii) prepare better defenses against the threat of cyber-attacks, and (iii) prepare focused recovery/remedial protocols in response to any such attacks.
The PCF arises from the President’s February 12, 2013 Executive Order 13636, which called for NIST’s development of a “framework” providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for “critical infrastructure services” to manage cybersecurity risk. The PCF will commence a 45-day public comment period followed by the PCF’s finalization in February 2014.
The new framework outlined in the PCF sets out specific steps and best practices for all organizations – both public and private, as well as small and large — to implement so as to better protect the U.S.’s critical cyber infrastructure. The PCF sets out a proposed risk-based approach to combating cybercrime, and summarizes five basic functions (a so-called “Framework Core”) for cybersecurity protocols: (i) identify, (ii) protect, (iii) detect, (iv) respond and (v) recover. In addition, Appendix B of the PCF supplies a “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program,” which provides a set of specific privacy considerations outlined using the format suggested in the PCF’s Framework Core. Set out in detail are various topics/issues along with source materials in connection with each function/category identified in the PCF. Significantly, the PCF as currently outlined imposes no legally binding regulations or requirements, but is instead grounded on a “voluntary basis” that is to serve as a model process that organizations may conform to their own specific cybersecurity needs and circumstances.
Secondly, the PCF provides for a “Framework Profile,” which is intended to show organizations one approach on how to track cyber threat defense efforts against targeted goals. This tool can then be used to gauge allocation of resources across larger defense projects. In short, this suggested tool provides organizations with a simple, yet direct, way by which to self-assess the implementation progress of their risk assessment and defensive/responsive measures.
Finally, the PCF provides for “Framework Implementation Tiers,” which are aimed at assessing the relationships between an organization’s overall risk management functions such as current risk assessment practices, actual threat environment analyses, legal/regulatory requirements, business objectives and organizational restrictions. These tiers are used to assess the overall level of an organization’s handling of cyber risk – starting at “Tier 1: Partial”, and proceeding up to “Tier 2: Risk-Informed”, then to “Tier 3: Risk-Informed and Repeatable”, and culminating with “Tier 4: Adaptive.”
It is important to note that the PCF is a suggested “means” to the implementation of either (i) an improved and more robust cyber defense program (for those organizations having a current program), or (ii) an initial program (for those organizations lacking one). It provides organizations with the ability to evaluate its risks and the need (if any) for greater assessment efforts (either qualitatively and/or quantitatively). While any specific organization’s risk environment and susceptibility to cyber attack will differ from those of other organizations, the risk facing those companies implementing “critical infrastructure” remains high as the incidence of cyber attacks over the last few years continues to escalate.
Thus, it is important for corporate leaders to set cyber defense strategies and facilitate their prompt and efficient implementation. The model laid out by the PCF provides one such avenue of guidelines and methodologies. It also signals the growing importance of cyber security issues across the business spectrum, and the need for all companies to seriously assess their vulnerabilities and best ways to reduce those risks, as well as implementing effective procedures by which to handle attacks (and respond thereto with a minimum of business disruption).
It is therefore strongly recommended that all organizations utilize some form of cyber risk assessment and analysis – whether or not it is the formulation outlined in the PCF — to correctly position themselves against the threat of cyber infrastructure attacks – whether or not their systems are “critical.”
However, it is important to note that although the proposed framework is indeed voluntary, it does pose a risk that in “suggesting” the widespread adoption of certain industry practices, NIST is also providing private litigants and regulators with a means by which to bolster their efforts to induce critical infrastructure operators to adopt certain security practices as outlined in the framework. Indeed, the framework as ultimately adopted next year could also be used by participants in private disputes to establish the reasonableness or unreasonableness of a given company's existing data security strategies and efforts.
For those interested in submitting electronic comments with respect to the PCF, the appropriate website is at email@example.com, and all comments should be in either Word or Excel format. Written comments should be directed to:
Information Technology Laboratory
ATTN: Adam Sedgewick
National Institute of Standards and Technology
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899-8930
NIST will also be conducting its Fifth Cybersecurity Framework workshop on November 14-15, 2013 in Raleigh, NC, to be hosted by North Carolina State University. At this workshop, NIST will continue previous discussions on the implementation and future governance of the Cybersecurity Framework. The draft agenda for this conference was issued on October 23.
Drinker Biddle will follow up on the PCF when the final version is announced in February 2014.