On October 22, 2013, the National Institute of Standards and Technology (“NIST”) issued the Preliminary Cybersecurity Framework (the “Preliminary Framework”), as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Preliminary Framework includes standards, procedures and processes for reducing cyber risks to critical infrastructure. It will be published in the Federal Register within a few days for public comment. Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014. NIST is planning to host a public workshop on the Preliminary Framework in mid-November to give industry and other groups an opportunity to provide their views on this document.
The Preliminary Framework is organized into five overarching cybersecurity functions: (1) identify, (2) protect, (3) detect, (4) respond and (5) recover. Each function has multiple categories, which are more closely tied to programmatic activities. They include activities such as “Asset Management,” “Access Control” and “Detection Processes.” The categories, in turn, have subcategories, which are tactical activities that support technical implementation. Examples of subcategories include “[a]sset vulnerabilities are identified and documented” and “[o]rganizational information security policy is established.” Finally, the Preliminary Framework includes informative references, which are specific sections of existing standards and practices that are common among various critical infrastructure sectors and illustrate methods to accomplish the activities described in each subcategory.
The current draft of the Preliminary Framework is a flexible document that gives users the discretion to decide which aspects of network security to prioritize, what level of security to adopt, and which standards, if any, to apply. Critical infrastructure owners and operators have been vocal in their opposition to new cybersecurity regulations, and the Administration has emphasized repeatedly that the Preliminary Framework itself does not include any mandates to adopt a particular standard or practice.
However, Section 10 of the Executive Order directs sector-specific agencies to engage in a “consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.” If such agencies deem the current regulatory requirements to be insufficient, then within 90 days of the publication of the final Preliminary Framework in February 2014, the agencies “shall propose prioritized, risk-based, efficient, and coordinated actions…” This process could lead to new cybersecurity regulations in various sectors, reshape underwriting standards, and affect standards of reasonableness in litigation relating to cybersecurity incidents.