The year-long process – led by the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) – of conducting outreach to the private sector, issuing drafts, receiving and evaluating input, and facilitating interagency coordination, ended with the publication last week of the “Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.0). It is a comprehensive document that was initiated by Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”), and draws heavily from existing standards such as NIST 800-53, ISO 27001, COBIT and others. The Framework represents significant effort by NIST, sector-specific agencies, industry organizations and individual companies to provide an approach for managing cybersecurity risk “for those processes, information, and systems directly involved in the delivery of critical infrastructure services.” This last quote from the “Framework Introduction” section states the purpose and scope of the document. What remains to be seen is the process for implementation, extent and variety of adoption across sectors and industries, and assertion as a “standard” outside of the critical infrastructure context.
The final (at least for now) version of the Framework differs from the “preliminary” Framework document in several ways. More mention is made of business considerations throughout, as well as its applicability to companies of all sizes and risk profiles in many industries. Another point that is made in several places is on achieving “the outcomes described by the Framework,” rather than the fact of implementation itself. Lastly, there is greater emphasis on potential applicability internationally, or at least as a complement to cybersecurity initiatives such as the one under development in the European Union elements of the Framework Core in Appendix A are essentially unchanged from the prior version, but there is new mention of the insider threat, the role of third parties such as vendors, the need to communicate with executive management and boards of directors, and the functional differences between Information Technology and Industrial Control Systems.
The companion “NIST Roadmap” document may be of more interest for the implementation phase. It is the former Appendix C of the preliminary Framework and is directed by subsection 7(b) of the Executive Order. The Roadmap is very similar to Appendix C with one exception: the inclusion of a subsection entitled, “Federal Agency Cybersecurity Alignment.” This new subsection suggests interagency discussions to align the Framework against the Federal Information Security Management Act (FISMA) and leverage the Framework for future federal security standards. One wonders whether the language of subsection 8(e) of the Executive Order regarding the incorporation of security standards into the acquisition and contract administration processes (as demonstrated in recent Department of Defense acquisition regulations) might result in the application of the Framework to all contracting with the government, at least in the critical infrastructure context.
As described in the Roadmap, the coming year will see further outreach by NIST, DHS and the sector-specific agencies to implement and adapt the Framework until NIST issues its formal notice of revision to version 1.0 as the next step in the iterative process. In the meantime, will there be improvements in sharing threat information between the public and private sectors (another goal of the Executive Order) as a result of legislation or implementation of the Framework? And what would “Framework compliance” look like? Subsection 2.2 states: “Successful implementation of the Framework is based upon achievement of the outcomes described in the organization’s Target Profile(s) and not upon Tier determination.” This implies that an owner and operator of a critical infrastructure facility that can reasonably determine that it satisfactorily addresses identified risk at the “Partial” level rather than the “Adaptive” level, and meets its self-defined Target Profile, is operating consistent with the Framework. This makes sense, but will it be acceptable?
The biggest unknown will be the role of privacy and civil liberties in a Framework process with the stated goal of supporting critical infrastructure resilience. The new subsection 3.5 (“Methodology to Protect Privacy and Civil Liberties”) is Appendix B of the preliminary Framework without the matrix. It contains references to individual consent and redress, transparency, accountability and auditing, which reflect some aspects of Federal Trade Commission pronouncements and longstanding European Union data privacy obligations. And one could infer a requirement to conduct a Privacy Impact Assessment for anomalous activity detection and cybersecurity monitoring processes. As noted in many submissions, there are statutory, regulatory and industry privacy structures that are already in place in the private sector. Will aspects of the Framework evolve into a set of technical and process privacy standards that are acceptable to the FTC, EU, and state legislatures or attorneys general? The language of subsection 4.9 of the NIST Roadmap document suggests so: “Furthermore, organizational policies are often designed to address business risks that arise out of privacy violations, such as reputation or liability risks, rather than focusing on minimizing the risk of harm at an individual or societal level.”
Should this be a document that addresses both the resilience of the national critical infrastructure, without which the country cannot function, as well as privacy at the individual and societal level? Regardless of the direction this conversation takes, any private sector critical infrastructure “owner and operator,” at any level or size, should be aware of and possibly participate in the evolution of the Framework. At the very least, it should be able to demonstrate that its cybersecurity program addresses all of the functions of the Framework Core consistent with its self-assessment of its risk tolerance. This will, of course, vary among the sectors and individual companies as is contemplated in the Framework tiers and profiles. There will still be threats, vulnerabilities, risks and breaches. Maybe now there is a nascent structure upon which to build a common approach.