Publication - 10/30/2013

NIST Releases Draft Cybersecurity Framework

Client Alert

By Kenneth K. Dort

Last week the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its long-anticipated draft “Preliminary Cybersecurity Framework” (PCF). This PCF lays out a proposed framework by which both private and public companies that work with “critical infrastructures” may (i) better evaluate cyber-risk, (ii) prepare better defenses against the threat of cyber-attacks, and (iii) prepare focused recovery/remedial protocols in response to any such attacks.

The PCF arises from the President’s February 12, 2013 Executive Order 13636, which called for NIST’s development of a “framework” providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for “critical infrastructure services” to manage cybersecurity risk. The PCF will commence a 45-day public comment period followed by the PCF’s finalization in February 2014.

The new framework outlined in the PCF sets out specific steps and best practices for all organizations – both public and private, as well as small and large — to implement so as to better protect the U.S.’s critical cyber infrastructure. The PCF sets out a proposed risk-based approach to combating cybercrime, and summarizes five basic functions (a so-called “Framework Core”) for cybersecurity protocols: (i) identify, (ii) protect, (iii) detect, (iv) respond and (v) recover. In addition, Appendix B of the PCF supplies a “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program,” which provides a set of specific privacy considerations outlined using the format suggested in the PCF’s Framework Core. Set out in detail are various topics/issues along with source materials in connection with each function/category identified in the PCF. Significantly, the PCF as currently outlined imposes no legally binding regulations or requirements, but is instead grounded on a “voluntary basis” that is to serve as a model process that organizations may conform to their own specific cybersecurity needs and circumstances.

Secondly, the PCF provides for a “Framework Profile,” which is intended to show organizations one approach on how to track cyber threat defense efforts against targeted goals. This tool can then be used to gauge allocation of resources across larger defense projects. In short, this suggested tool provides organizations with a simple, yet direct, way by which to self-assess the implementation progress of their risk assessment and defensive/responsive measures.

Finally, the PCF provides for “Framework Implementation Tiers,” which are aimed at assessing the relationships between an organization’s overall risk management functions such as current risk assessment practices, actual threat environment analyses, legal/regulatory requirements, business objectives and organizational restrictions. These tiers are used to assess the overall level of an organization’s handling of cyber risk – starting at “Tier 1: Partial”, and proceeding up to “Tier 2: Risk-Informed”, then to “Tier 3: Risk-Informed and Repeatable”, and culminating with “Tier 4: Adaptive.”

It is important to note that the PCF is a suggested “means” to the implementation of either (i) an improved and more robust cyber defense program (for those organizations having a current program), or (ii) an initial program (for those organizations lacking one). It provides organizations with the ability to evaluate its risks and the need (if any) for greater assessment efforts (either qualitatively and/or quantitatively). While any specific organization’s risk environment and susceptibility to cyber attack will differ from those of other organizations, the risk facing those companies implementing “critical infrastructure” remains high as the incidence of cyber attacks over the last few years continues to escalate.

Thus, it is important for corporate leaders to set cyber defense strategies and facilitate their prompt and efficient implementation. The model laid out by the PCF provides one such avenue of guidelines and methodologies. It also signals the growing importance of cyber security issues across the business spectrum, and the need for all companies to seriously assess their vulnerabilities and best ways to reduce those risks, as well as implementing effective procedures by which to handle attacks (and respond thereto with a minimum of business disruption).

It is therefore strongly recommended that all organizations utilize some form of cyber risk assessment and analysis – whether or not it is the formulation outlined in the PCF — to correctly position themselves against the threat of cyber infrastructure attacks – whether or not their systems are “critical.”

However, it is important to note that although the proposed framework is indeed voluntary, it does pose a risk that in “suggesting” the widespread adoption of certain industry practices, NIST is also providing private litigants and regulators with a means by which to bolster their efforts to induce critical infrastructure operators to adopt certain security practices as outlined in the framework. Indeed, the framework as ultimately adopted next year could also be used by participants in private disputes to establish the reasonableness or unreasonableness of a given company's existing data security strategies and efforts.

For those interested in submitting electronic comments with respect to the PCF, the appropriate website is at csfcomments@nist.gov, and all comments should be in either Word or Excel format. Written comments should be directed to:

Information Technology Laboratory
ATTN: Adam Sedgewick
National Institute of Standards and Technology
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899-8930

NIST will also be conducting its Fifth Cybersecurity Framework workshop on November 14-15, 2013 in Raleigh, NC, to be hosted by North Carolina State University. At this workshop, NIST will continue previous discussions on the implementation and future governance of the Cybersecurity Framework. The draft agenda for this conference was issued on October 23.

Drinker Biddle will follow up on the PCF when the final version is announced in February 2014.

Another Warning to Mind the Non-GAAP

Client Alert
Elizabeth A. Diffley

By Elizabeth A. Diffley As we have previously reported, over the past few months, SEC officials and numerous other observers have voiced concern about the pervasive and, perhaps abusive, use of non-GAAP financial measures by public companies.  Continuing on that theme, during a panel presentation at the Garrett Corporate and Securities Law Institute held at Northwestern University’s Pritzker School of Law, Mark Kronforst, Associate Director of the SEC’s Office of the Chie...

Overcoming Compliance II

Reactions
Thomas M. Dawson, Joseph L. Seiler III

New York and London partner Tom Dawson and New York partner and DBR General Counsel Joe Seiler published an article in Reactions titled, “Overcoming Compliance II.” The article is a continuation of their 2013 article, “Overcoming Compliance,” which discussed the challenges for insurers' boards of directors due to then-developing array of state regulatory disclosure and reporting requirements. In this follow-up article, Tom and Joe address still-developing federal r...

Socially Responsible Investing in ERISA Plans: The Legal Perspective

Institutional Investor: Foundation & Endowment Money Management
Bruce L. Ashton

Institutional Investor: Foundation & Endowment Money Management

IRS Denies Tax Exemption to Commercial ACO

Health Care Insight
Matthew Amodeo, Taylor Romigh Harrison, Linda S. Moroney, T.J. Sullivan

On April 8, 2016, the IRS released a final adverse exemption determination with respect to an accountable care organization (ACO) formed by an unnamed nonprofit health care system.

Section 201 Safeguard Petition Filed Against Primary Aluminum Could Impact Sourcing

Client Alert
Richard P. Ferrin, Douglas J. Heffner

On April 18, the United Steelworkers union filed a Section 201 “safeguards” petition regarding primary, unwrought aluminum. This case could impact purchasers of primary, unwrought aluminum (such as billets, hollow billets, ingots, sows, and tees) from non-U.S. sources by increasing the prices of these products, decreasing availability, or both.