Executive Branch acts on cybersecurity - what you need to know about this groundbreaking effort

by DLA Piper

Yesterday, the White House released the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity[i], which is a key step in the implementation of Executive Order 13636 on cybersecurity issued by President Obama in February 2013 (the EO).[ii]

Over the course of the past year, NIST has worked with critical infrastructure (CI) owners and operators, including public and private sector organizations, trade associations and other industry groups, other federal agencies including the Department of Homeland Security and state, local and tribal governments to develop a voluntary, risk-based framework to promote and enhance the security and resiliency of CI and to help organizations, regardless of industry sector or size, to manage cyber risk.  During the development of the Framework, NIST held workshops, requested comments and met with stakeholders in order to maximize private sector input to ensure the Framework reflects current industry sector standards, guidelines and best practices.   

Administration speakers emphasized today that the Framework is intended to be voluntary and flexible.  Whether or not use of the Framework is later required by regulation in critical infrastructure sectors, we think it is likely that some modified version the Framework Core will make its way into commercial contracts for critical infrastructure and possibly other services, and that the plaintiffs’ bar will attempt to test the Framework as a standard of care for cybersecurity.

The Framework is not intended to replace existing sector standards or to add an unnecessary layer on existing standards and practices.[iii]  Instead, it is designed to act as a roadmap for navigating how an organization can apply existing standards and practices in order to build a risk-based cybersecurity plan or improve an existing plan.  In terms of measuring whether an organization has “adopted” or “implemented” the Framework, the Administration has moved away from these rigid terms in favor of simply encouraging organizations to “use” the Framework.  Over the past year, NIST has made changes to the Framework that encourage its use, whether for measuring current cybersecurity activities and risks, strengthening current practices, evaluating the adoption of a cybersecurity plan based upon the Framework or establishing long-term cybersecurity goals.

The Framework is version 1.0, and the Administration plans for subsequent versions to be updated and refined, although NIST will be handing off its role overseeing these changes to a yet to be determined private sector organization.  Prior to that time, this spring or summer, NIST plans to hold additional workshops on the Framework.  NIST officials have indicated that at least one workshop will address privacy and civil liberties, in an effort to foster the development of  privacy standards, which could be included in future versions of the Framework.

Will the Framework be required by regulation?

Under the EO, agencies with regulatory authority over CI were required to report to the President by January 20, 2014 (which was 90 days following release of the preliminary version of the Framework on October 22, 2013) on whether current cybersecurity regulatory requirements are sufficient, whether the agency has clear authority to establish any necessary cybersecurity requirements based upon the Framework, and whether additional authorities are required.  Agencies that identify insufficient requirements were required to propose actions to mitigate cyber-risks on the same timeline.  

Because NIST does not have authority to impose the Framework by regulation, these reports and recommendations will be a key sign of whether following the Framework will be truly voluntary and industry driven or required be regulation.  Today, White House Cybersecurity Coordinator Michael Daniel stated that the Framework is intended to be voluntary and flexible and that Executive Branch agencies will not be expanding cybersecurity regulation using the Framework, although they may harmonize and align existing regulations with the Framework.

Within two years of the Framework’s publication, these agencies are required to report to the Office of Management and Budget (OMB) on any “ineffective, conflicting, or excessively burdensome cybersecurity requirements.”[iv]  These reports will be another opportunity to evaluate the Framework and its application in regulated industries in particular.

In the event incentives have not been created for organizations to adopt the Framework, these reports will also be an opportunity to identify opportunities for streamlined regulation, one of the incentives that has been discussed by the Administration.[v]          

What the Framework contains

The Framework is composed of:

1) the Framework Core, a set of cybersecurity activities and outcomes applicable across all CI sectors

2) the Framework Profile, which allows organizations to apply cybersecurity activities to its unique business requirements, risk tolerances and resources and

3) the Framework Implementation Tiers, which allow an organization to gauge its cybersecurity by comparing characteristics and approaches to managing cyber risks.

The EO also requires that the Framework include a methodology to guide organizations in navigating  privacy and civil liberties considerations in the context of each organization’s cybersecurity program.  In contrast to the preliminary version of the Framework released by NIST in October, the Methodology to Protect Privacy and Civil Liberties, in response to heavy private sector opposition, has been revised, becoming a much more focused alternative methodology proposed to NIST by an informal coalition of companies and trade groups, which our lawyers helped to draft.

Framework Core

One of the Administration’s goals under the Executive Order has been to identify and incorporate cybersecurity standards and practices that are common to organizations regardless of CI sector.  The Framework Core provides a common lexicon to:

1) establish current cybersecurity posture and establish goals

2) communicate cybersecurity activities between various levels of an organization from the executive to the operational levels

3) assess progress and

4) communicate to cybersecurity policies and risks external stakeholders.

The Core is based upon five “functions” undertaken by organizations in conjunction with cybersecurity: Identify, Protect, Detect, Respond and Recover.  Each function is linked to categories of activities such as governance, risk assessment, access control, and anomalies and events, which can be evaluated and used by each organization based upon its business needs.  The categories are broken down into subcategories of activities, such inventorying physical devices and systems, establishing response plans and incident recovery plans, and identifying internal and external threats.  Each of the subcategories is linked to various “Informative References” or standards and guidelines applicable to organizations regardless of sector and developed by standards bodies including ISO, ANSI, NIST, ISA and others.

Companies reviewing the Framework Core and its subcomponents against their own technical environment will need to consider a deep dive into both the technical components of their cybersecurity program and the governance and policy mechanisms that are driving activities within the program.  Examples of topic areas for this deep dive include:

Asset management:  A review of physical system and device assets and other, intangible assets, such as data and data flows.  Organizations will benefit from an organized, focused and integrated approach that brings together specialized knowledge within diverse areas of the organization.  Creating and maintaining accurate asset inventories and data maps will be critical.

Governance/policy review:  It will be important to review policies for both their content (i.e., do the policies appropriately require compliance?) and their level of actual implementation within the organization.  The Framework states that governance must actively manage and monitor and, also, inform management of cyber-risk.

Protective technology: The Framework stresses the importance of implementing protective technology.  It will be important for organizations both to assess the technology that is in place today (i.e., have critical projects been completed?) and, at the same time, consider whether their current technology is designed to maintain currency as threats evolve.  The Framework urges technologies that can promptly detect and report upon threats, as opposed to being largely reactive in nature.

Training and response planning: The Framework stresses the importance of preventive planning before an event occurs.  This includes properly training personnel, having an incident plan and, perhaps most importantly, being tactically ready to use the plan at a moment’s notice.  Companies reviewing the Framework Core against their own practices should ask whether plans that are currently on the shelf are up to date, actionable and contain all steps necessary to comply with applicable regulatory and third party demands.

Third-party/supply chain management: As recent retailer breaches have demonstrated, even suppliers in relatively mundane areas can be used as vectors for attacks.  It will likely become increasingly important to take the Framework Core into account when both negotiating new agreements with suppliers and reviewing existing agreements for sufficiency.  Implementing diligence, contracting and vendor management strategies designed to mitigate and properly allocate cyber-risks so that your company is not left absorbing unmanageable liability, including through the lens of the Framework, must be considered.  Indeed, at the White House event announcing the Framework, CEOs of AT&T, Lockheed-Martin and Pepco all stated that the Framework will be a key tool for educating and managing their supply chain on cybersecurity.

[i] See this page.

[ii] See this page.

[iii] Organizations that follow existing industry standards, such as NERC-CIP for the electricity industry, will be treated as having adopted the Framework. 

[iv] Id. at Sec. 10(c).

[v] The White House incentives are available here.  The EO requires the Secretary of Homeland Security to develop a program to support the voluntary adoption of the Framework by CI organizations and other entities (the Voluntary Program).  One component of the Voluntary Program is incentives for adoption - to date, which the Administration has not made meaningful progress regarding such incentives.


Written by:

DLA Piper

DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.