The White House released today the long-awaited voluntary guidelines intended to encourage companies operating in critical infrastructure sectors to adopt policies to better protect themselves from cyber attacks. The standards were developed through a collaborative process involving the National Institute of Standards and Technology (“NIST”) and critical infrastructure companies such as those involved with energy, transportation, communication, and banking.
The guidelines are formally known as the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”). In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary, risk-based Cybersecurity Framework—i.e., a set of standards, guidelines, and practices to help organizations manage cyber risks. The resulting Framework announced today is intended to carry-out the objectives of the Executive Order by providing a common language to address and manage cyber risk in a cost-effective way without placing additional regulatory requirements on businesses. The ultimate goal is to provide companies overseeing the nation’s crucial infrastructure with a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs.
In a statement, Obama warned that cyber threats “pose one of the greatest national security dangers that the United States faces,” echoing the recent judgment of major U.S. intelligence agencies. “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said. “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet.”
The Framework does not mandate specific security controls, but instead are intended to provide guidance for detecting and responding to attacks, mitigating fallout from cyber incidents, and managing overall cyber risks. A key objective of the Framework is to provide a common language and mechanism for organizations to:
- Describe their current cybersecurity postures
- Describe their target states for cybersecurity
- Identify/prioritize opportunities for improved risk management
- Assess progress toward a target state
- Foster communication among internal and external stakeholders
Department of Homeland Security (“DHS”) chief Jeh Johnson also announced on Wednesday that the DHS was starting a program to help companies implement the Framework. The government is not, however, providing any tax breaks or other incentives to encourage the adoption of the Framework. The White House is instead going to rely on companies having a sense of self-preservation, as well as a strong desire to avoid being victimized by a cyber attack and managing the resulting law suits that will surely follow.
For a more comprehensive discussion of the NIST Framework and its anticipated impact on companies that are both inside and outside of critical infrastructure sectors, please read this recent article.