As called for in President Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (“NIST”) has released the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity (the “Framework.”) The Executive Order required NIST to develop a Framework that would provide “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to assist organizations responsible for critical infrastructure to manage cybersecurity risk.
The Executive Order requires the Secretary of the Department of Homeland Security (“DHS”) to coordinate with the Sector Specific Agencies to establish a voluntary program to support the adoption of the Framework by owners and operators of critical infrastructure. In issuing the preliminary Framework, the head of NIST again emphasized the voluntary nature of the Framework. Of course, as required by the Executive Order, the Sector Specific Agencies have published their preliminary recommendations for incentives to adopt the Framework, including the suggestions that adoption of the Framework be a condition for receiving a federal critical infrastructure grant, government services to those who implement the Framework be expedited, and Framework participants be publicly recognized. It remains to be seen whether an entity in the critical infrastructure can remain competitive without adopting the “voluntary” Framework. Further, as with many industry standards, compliance with the Framework may effectively become mandatory if courts look to it as what is reasonable security in the industry. If entities in the critical infrastructure (and beyond) adopt the Framework as the standard for vendor audits, then companies will need to become fluent in using the Framework to communicate about their cybersecurity readiness.
The Framework is intended to help organizations establish a cybersecurity program, assess their already existing cybersecurity program, and communicate cybersecurity requirements or expectations with business partners and service providers. The Framework is built around five functions described as the Framework “Core Functions”: Identify, Protect, Detect, Respond, and Recover. Each Core Function is broken down into Categories and Subcategories, with NIST providing Informative References for each Subcategory, which are existing standards, guidance, and practices that are basically resources to look to for help with that Subcategory. The five Core Functions lead an organization through the process of (1) conducting a risk assessment taking into consideration your organization’s mission objectives, systems, assets, regulatory requirements, and capabilities, as well as the operational environment to discern the likelihood of a cybersecurity event that could impact your organization; (2) developing and implementing appropriate safeguards to protect the organization’s systems, data, and assets; (3) developing and implementing activities to detect a cybersecurity event; (4) developing and implementing activities to take action regarding a detected cybersecurity event; and (5) developing and implementing activities to restore capabilities or critical infrastructure services that were impaired by a cybersecurity event. The second through fifth Core Functions (steps 2-5 in the process) are approached taking into consideration the current and target profiles created by the organization in the first step of the process—“Identify.” The “Identify” function allows the organization to prioritize.
The preliminary Framework released on Tuesday includes an appendix that presents a methodology to address privacy and civil liberties considerations around the deployment of cybersecurity activities and the protection of personally identifiable information, which is based on the Fair Information Practice Principles (“FIPPs”) referenced in the Executive Order. The appendix includes Informative References related to privacy and civil liberties standards, guidance, and best practices, as well.
The preliminary Framework is open for public comment, with the next version planned for February 2014.