On Feb. 12, 2014, the National Institute for Standards and Technologies (NIST) released its final Cybersecurity Framework, meeting the one year deadline and anniversary of President Obama’s Executive Order and a Presidential Policy Directive to reduce cyber risks to critical infrastructure. The Framework comes amidst ever growing prominence of data security issues: more incidents of electronic data theft are receiving extensive media coverage; class-action litigation is on the rise; the FTC is stretching its enforcement authority under Section 5 of the FTC Act; and Congress and state legislatures are considering options for cyber and data security legislation. Last week alone, three different Congressional committees held hearings to examine the handling of payment card information, intellectual property, and other data. Without Congressional action, the Framework remains voluntary for the companies it addresses—such as banks, communications companies, utilities, and healthcare providers. But the Framework can serve as a guide to evolving government expectations.
President Obama directed NIST to create the Cybersecurity Framework in Executive Order (EO) 13 and Presidential Policy Directive (PPD) 21, issued in February 2013. Since then, NIST called for and obtained input from stakeholders, conducted a series of workshops, issued drafts of the Framework, and worked closely with stakeholders to refine the drafts. The drafts propose a model for organizations to identify and manage the risks specific to their activities. The principal change in this draft is to incorporate protections for privacy and civil liberties throughout the Framework, rather than create a separate privacy methodology as in the last draft, which has provoked some concerns from privacy advocates.
What Organizations Are Targeted by the Framework?
The Executive Order defines “critical Infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive lists 16 sectors that are deemed “critical infrastructure,” which encompass much of the economy.
The Presidential Policy Directive declares that communications and energy systems are “uniquely critical” infrastructure because they enable all other critical infrastructure systems to function. Other named sectors include: financial services, healthcare, information technology, nuclear and water utilities, food and agriculture, manufacturing, chemical, emergency services, government institutions, manufacturing, commercial businesses, transportation, and national defense-related entities.
Recognizing that many industries already have detailed standards for cybersecurity, the Framework states that it is not intended to replace any of those existing standards. Instead, NIST envisions the Framework as an additional tool that entities may use to assess their current cybersecurity from a high level, and to identify steps that might (or should) be taken to reduce identified risks.
Voluntary Adoption, Incentives, Legislation, and Litigation Risks
NIST has no enforcement authority, and the Framework is voluntary.
In an effort to promote private enterprise adoption of the Framework, however, last year the Administration identified potential incentives for industry adoption, including: lower premiums for cybersecurity insurance; preferences for entities seeking federal grants; technical assistance; reduced regulatory obligations; and limits on liability for owners and operators of critical infrastructure that adopt the Framework. To date, there has been no progress in establishing any such incentives, most of which would require Congress to pass legislation.
There are, however, several bills pending in Congress that would give the Department of Homeland Security (DHS) expanded authority over the cyber-readiness of critical infrastructure and other private entities. Another bill in the Senate would impose certain limits on liability and provide important defenses to entities that use DHS-approved cyber-defense technology. Although each bill in its current form would maintain the voluntary nature of cybersecurity standards, there is ample opportunity to add mandates in the legislative process.
Independent of future legislation, there is a risk that when critical infrastructure owners and operators face litigation arising from cyber incidents, the Framework will be held out by litigants as a de facto standard of care.
For its part, the FTC has not awaited Congressional action. It has settled 50 law enforcement actions against businesses that it alleged failed to protect consumers’ personal information appropriately. And although the FTC’s power to regulate data security is being challenged in two cases, it is clear that absent a change in law, the FTC is prepared to use its general enforcement power to send signals for companies to increase their security. In its investigations of data security practices, for example, the FTC has considered whether the risks to data were known or foreseeable, the costs and benefits of various countermeasures, and the availability of tools in the marketplace. As the FTC recently explained, the “fifty data security settlements reflects its commitment to ensure that companies employ reasonable measures to safeguard consumer data.”
Summary of the Cybersecurity Framework
The Framework provides three sets of tools for organizations to use in their ongoing assessment of cybersecurity risks, implementation of strategies, and devotion of resources to reduce those risks:
The Framework Core provides a high-level strategic view of an organization’s existing and target activities for addressing cybersecurity risks: Identify, Protect, Detect, Respond, Recover. These Functions are subdivided further into key Categories and Subcategories, which produce specific outcomes desired by the organization (such as “organizational communication and data flows are mapped”). These outcomes in turn correspond to examples of existing industry standards, guidelines and practices that are common among critical infrastructure sectors and offer a way to achieve desired outcomes.
The Framework Implementation Tiers offer context for an organization to methodically grade its current level of cybersecurity risk and examine whether it is cost effective to reduce those risks in light of business objectives. The tiers range from an ad hoc tier at one end (Tier 1) to the highest “adaptive” tier at the other (Tier 4). These tiers depict a continuum of increasing sophistication in cybersecurity practices and integration with the business.
The Framework Profile offers a tool to measure an organization’s current progress in meeting its targets, create a gap profile, and define strategic areas for improvement, taking into account its assessment of specific cyber risks, and the costs of mitigation measures.
NIST plans to continue holding workshops, engaging with stakeholders for additional feedback, and issuing later versions of the Framework.