On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Cybersecurity Framework, as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Framework, which includes standards, procedures and processes for reducing cyber risks to critical infrastructure, reflects changes based on input received during a widely-attended public workshop held last November in North Carolina and comments submitted with respect to a preliminary version of the Framework that was issued in October 2013.
Differences between the Framework and its preliminary version are generally editorial, and the Framework’s basic structure has remained substantially the same. However, in one notable change, the Framework no longer includes Appendix B, the “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program.” Appendix B of the Preliminary Framework attracted significant opposition from industry because, among other things, of its breadth, prescriptive nature, and failure to reflect the standards contained in a wide range of successful privacy and data protection programs implemented by industry, in partnership with various government agencies. The Framework issued today removes Appendix B and replaces it with a general description of privacy issues that entities should consider in the section on “How to Use the Framework.”
Like the preliminary version, the Framework is broadly broken down into three components: (1) Framework Core, (2) Framework Implementation Tiers and (3) Framework Profile.
The Framework Core is organized into five overarching cybersecurity functions: (1) identify, (2) protect, (3) detect, (4) respond and (5) recover. Each function has multiple categories, which are more closely tied to programmatic activities. They include activities such as “Asset Management,” “Access Control” and “Detection Processes.” The categories, in turn, have subcategories, which are tactical activities that support technical implementation. Examples of subcategories include “[a]sset vulnerabilities are identified and documented” and “[o]rganizational information security policy is established.” The Framework Core includes informative references, which are specific sections of existing standards and practices that are common among various critical infrastructure sectors and illustrate methods to accomplish the activities described in each Subcategory.
The Framework Implementation Tiers describe how an organization views cybersecurity risk and the processes in place to manage that risk. The tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practice. Progression to higher tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.
The Framework Profile is the alignment of the functions, categories and subcategories with the organization’s business requirements, risk tolerance and resources. An organization may develop a current profile based on existing practices and a target profile that reflects a desired set of cybersecurity activities. A comparison of the two profiles may reveal gaps that establish a roadmap for reducing cybersecurity risk that is aligned with organizational and sector goals, considers legal and regulatory requirements and industry best practices, and reflects risk management priorities.
The Framework is a flexible document that gives users the discretion to decide which aspects of network security to prioritize, what level of security to adopt, and which standards, if any, to apply. This flexibility reflects vocal opposition by critical infrastructure owners and operators to new cybersecurity regulations.
The White House has emphasized repeatedly that the Framework itself does not include any mandates to adopt a particular standard or practice. However, Section 10 of the Executive Order directs sector-specific agencies to engage in a consultative process with the Department of Homeland Security, the Office of Management and Budget, and the National Security Staff to review the Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. If such agencies deem the current regulatory requirements to be insufficient, then they “shall propose prioritized, risk-based, efficient, and coordinated actions…” This process could lead to new cybersecurity regulations in various sectors.
This regulatory review, in conjunction with the Framework being used by insurance underwriters and incentives the Administration is developing to encourage adoption of the Framework, likely will result in the Framework affecting standards of reasonableness in litigation relating to cybersecurity incidents.