Yesterday, the White House released the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity[i], which is a key step in the implementation of Executive Order 13636 on cybersecurity issued by President Obama in February 2013 (the EO).[ii]
Over the course of the past year, NIST has worked with critical infrastructure (CI) owners and operators, including public and private sector organizations, trade associations and other industry groups, other federal agencies including the Department of Homeland Security and state, local and tribal governments to develop a voluntary, risk-based framework to promote and enhance the security and resiliency of CI and to help organizations, regardless of industry sector or size, to manage cyber risk. During the development of the Framework, NIST held workshops, requested comments and met with stakeholders in order to maximize private sector input to ensure the Framework reflects current industry sector standards, guidelines and best practices.
Administration speakers emphasized today that the Framework is intended to be voluntary and flexible. Whether or not use of the Framework is later required by regulation in critical infrastructure sectors, we think it is likely that some modified version the Framework Core will make its way into commercial contracts for critical infrastructure and possibly other services, and that the plaintiffs’ bar will attempt to test the Framework as a standard of care for cybersecurity.
The Framework is not intended to replace existing sector standards or to add an unnecessary layer on existing standards and practices.[iii] Instead, it is designed to act as a roadmap for navigating how an organization can apply existing standards and practices in order to build a risk-based cybersecurity plan or improve an existing plan. In terms of measuring whether an organization has “adopted” or “implemented” the Framework, the Administration has moved away from these rigid terms in favor of simply encouraging organizations to “use” the Framework. Over the past year, NIST has made changes to the Framework that encourage its use, whether for measuring current cybersecurity activities and risks, strengthening current practices, evaluating the adoption of a cybersecurity plan based upon the Framework or establishing long-term cybersecurity goals.
The Framework is version 1.0, and the Administration plans for subsequent versions to be updated and refined, although NIST will be handing off its role overseeing these changes to a yet to be determined private sector organization. Prior to that time, this spring or summer, NIST plans to hold additional workshops on the Framework. NIST officials have indicated that at least one workshop will address privacy and civil liberties, in an effort to foster the development of privacy standards, which could be included in future versions of the Framework.
Will the Framework be required by regulation?
Under the EO, agencies with regulatory authority over CI were required to report to the President by January 20, 2014 (which was 90 days following release of the preliminary version of the Framework on October 22, 2013) on whether current cybersecurity regulatory requirements are sufficient, whether the agency has clear authority to establish any necessary cybersecurity requirements based upon the Framework, and whether additional authorities are required. Agencies that identify insufficient requirements were required to propose actions to mitigate cyber-risks on the same timeline.
Because NIST does not have authority to impose the Framework by regulation, these reports and recommendations will be a key sign of whether following the Framework will be truly voluntary and industry driven or required be regulation. Today, White House Cybersecurity Coordinator Michael Daniel stated that the Framework is intended to be voluntary and flexible and that Executive Branch agencies will not be expanding cybersecurity regulation using the Framework, although they may harmonize and align existing regulations with the Framework.
Within two years of the Framework’s publication, these agencies are required to report to the Office of Management and Budget (OMB) on any “ineffective, conflicting, or excessively burdensome cybersecurity requirements.”[iv] These reports will be another opportunity to evaluate the Framework and its application in regulated industries in particular.
In the event incentives have not been created for organizations to adopt the Framework, these reports will also be an opportunity to identify opportunities for streamlined regulation, one of the incentives that has been discussed by the Administration.[v]
What the Framework contains
The Framework is composed of:
1) the Framework Core, a set of cybersecurity activities and outcomes applicable across all CI sectors
2) the Framework Profile, which allows organizations to apply cybersecurity activities to its unique business requirements, risk tolerances and resources and
3) the Framework Implementation Tiers, which allow an organization to gauge its cybersecurity by comparing characteristics and approaches to managing cyber risks.
The EO also requires that the Framework include a methodology to guide organizations in navigating privacy and civil liberties considerations in the context of each organization’s cybersecurity program. In contrast to the preliminary version of the Framework released by NIST in October, the Methodology to Protect Privacy and Civil Liberties, in response to heavy private sector opposition, has been revised, becoming a much more focused alternative methodology proposed to NIST by an informal coalition of companies and trade groups, which our lawyers helped to draft.
One of the Administration’s goals under the Executive Order has been to identify and incorporate cybersecurity standards and practices that are common to organizations regardless of CI sector. The Framework Core provides a common lexicon to:
1) establish current cybersecurity posture and establish goals
2) communicate cybersecurity activities between various levels of an organization from the executive to the operational levels
3) assess progress and
4) communicate to cybersecurity policies and risks external stakeholders.
The Core is based upon five “functions” undertaken by organizations in conjunction with cybersecurity: Identify, Protect, Detect, Respond and Recover. Each function is linked to categories of activities such as governance, risk assessment, access control, and anomalies and events, which can be evaluated and used by each organization based upon its business needs. The categories are broken down into subcategories of activities, such inventorying physical devices and systems, establishing response plans and incident recovery plans, and identifying internal and external threats. Each of the subcategories is linked to various “Informative References” or standards and guidelines applicable to organizations regardless of sector and developed by standards bodies including ISO, ANSI, NIST, ISA and others.
Companies reviewing the Framework Core and its subcomponents against their own technical environment will need to consider a deep dive into both the technical components of their cybersecurity program and the governance and policy mechanisms that are driving activities within the program. Examples of topic areas for this deep dive include:
Asset management: A review of physical system and device assets and other, intangible assets, such as data and data flows. Organizations will benefit from an organized, focused and integrated approach that brings together specialized knowledge within diverse areas of the organization. Creating and maintaining accurate asset inventories and data maps will be critical.
Governance/policy review: It will be important to review policies for both their content (i.e., do the policies appropriately require compliance?) and their level of actual implementation within the organization. The Framework states that governance must actively manage and monitor and, also, inform management of cyber-risk.
Protective technology: The Framework stresses the importance of implementing protective technology. It will be important for organizations both to assess the technology that is in place today (i.e., have critical projects been completed?) and, at the same time, consider whether their current technology is designed to maintain currency as threats evolve. The Framework urges technologies that can promptly detect and report upon threats, as opposed to being largely reactive in nature.
Training and response planning: The Framework stresses the importance of preventive planning before an event occurs. This includes properly training personnel, having an incident plan and, perhaps most importantly, being tactically ready to use the plan at a moment’s notice. Companies reviewing the Framework Core against their own practices should ask whether plans that are currently on the shelf are up to date, actionable and contain all steps necessary to comply with applicable regulatory and third party demands.
Third-party/supply chain management: As recent retailer breaches have demonstrated, even suppliers in relatively mundane areas can be used as vectors for attacks. It will likely become increasingly important to take the Framework Core into account when both negotiating new agreements with suppliers and reviewing existing agreements for sufficiency. Implementing diligence, contracting and vendor management strategies designed to mitigate and properly allocate cyber-risks so that your company is not left absorbing unmanageable liability, including through the lens of the Framework, must be considered. Indeed, at the White House event announcing the Framework, CEOs of AT&T, Lockheed-Martin and Pepco all stated that the Framework will be a key tool for educating and managing their supply chain on cybersecurity.
[i] See this page.
[ii] See this page.
[iii] Organizations that follow existing industry standards, such as NERC-CIP for the electricity industry, will be treated as having adopted the Framework.
[iv] Id. at Sec. 10(c).
[v] The White House incentives are available here. The EO requires the Secretary of Homeland Security to develop a program to support the voluntary adoption of the Framework by CI organizations and other entities (the Voluntary Program). One component of the Voluntary Program is incentives for adoption - to date, which the Administration has not made meaningful progress regarding such incentives.