NIST Issues Cybersecurity Framework 1.0 While Congress Increases Attention on Data Security and Cyber Crime

by Davis Wright Tremaine LLP

On Feb. 12, 2014, the National Institute for Standards and Technologies (NIST) released its final Cybersecurity Framework, meeting the one year deadline and anniversary of President Obama’s Executive Order and a Presidential Policy Directive to reduce cyber risks to critical infrastructure. The Framework comes amidst ever growing prominence of data security issues: more incidents of electronic data theft are receiving extensive media coverage; class-action litigation is on the rise; the FTC is stretching its enforcement authority under Section 5 of the FTC Act; and Congress and state legislatures are considering options for cyber and data security legislation. Last week alone, three different Congressional committees held hearings to examine the handling of payment card information, intellectual property, and other data. Without Congressional action, the Framework remains voluntary for the companies it addresses—such as banks, communications companies, utilities, and healthcare providers. But the Framework can serve as a guide to evolving government expectations.

President Obama directed NIST to create the Cybersecurity Framework in Executive Order (EO) 13 and Presidential Policy Directive (PPD) 21, issued in February 2013. Since then, NIST called for and obtained input from stakeholders, conducted a series of workshops, issued drafts of the Framework, and worked closely with stakeholders to refine the drafts. The drafts propose a model for organizations to identify and manage the risks specific to their activities. The principal change in this draft is to incorporate protections for privacy and civil liberties throughout the Framework, rather than create a separate privacy methodology as in the last draft, which has provoked some concerns from privacy advocates.

What Organizations Are Targeted by the Framework?
The Executive Order defines “critical Infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive lists 16 sectors that are deemed “critical infrastructure,” which encompass much of the economy.

The Presidential Policy Directive declares that communications and energy systems are “uniquely critical” infrastructure because they enable all other critical infrastructure systems to function. Other named sectors include: financial services, healthcare, information technology, nuclear and water utilities, food and agriculture, manufacturing, chemical, emergency services, government institutions, manufacturing, commercial businesses, transportation, and national defense-related entities.

Recognizing that many industries already have detailed standards for cybersecurity, the Framework states that it is not intended to replace any of those existing standards. Instead, NIST envisions the Framework as an additional tool that entities may use to assess their current cybersecurity from a high level, and to identify steps that might (or should) be taken to reduce identified risks.

Voluntary Adoption, Incentives, Legislation, and Litigation Risks
NIST has no enforcement authority, and the Framework is voluntary.

In an effort to promote private enterprise adoption of the Framework, however, last year the Administration identified potential incentives for industry adoption, including: lower premiums for cybersecurity insurance; preferences for entities seeking federal grants; technical assistance; reduced regulatory obligations; and limits on liability for owners and operators of critical infrastructure that adopt the Framework. To date, there has been no progress in establishing any such incentives, most of which would require Congress to pass legislation.

There are, however, several bills pending in Congress that would give the Department of Homeland Security (DHS) expanded authority over the cyber-readiness of critical infrastructure and other private entities. Another bill in the Senate would impose certain limits on liability and provide important defenses to entities that use DHS-approved cyber-defense technology. Although each bill in its current form would maintain the voluntary nature of cybersecurity standards, there is ample opportunity to add mandates in the legislative process.

Independent of future legislation, there is a risk that when critical infrastructure owners and operators face litigation arising from cyber incidents, the Framework will be held out by litigants as a de facto standard of care.

For its part, the FTC has not awaited Congressional action. It has settled 50 law enforcement actions against businesses that it alleged failed to protect consumers’ personal information appropriately. And although the FTC’s power to regulate data security is being challenged in two cases, it is clear that absent a change in law, the FTC is prepared to use its general enforcement power to send signals for companies to increase their security. In its investigations of data security practices, for example, the FTC has considered whether the risks to data were known or foreseeable, the costs and benefits of various countermeasures, and the availability of tools in the marketplace. As the FTC recently explained, the “fifty data security settlements reflects its commitment to ensure that companies employ reasonable measures to safeguard consumer data.”

Summary of the Cybersecurity Framework
The Framework provides three sets of tools for organizations to use in their ongoing assessment of cybersecurity risks, implementation of strategies, and devotion of resources to reduce those risks:

  • The Framework Core provides a high-level strategic view of an organization’s existing and target activities for addressing cybersecurity risks: Identify, Protect, Detect, Respond, Recover. These Functions are subdivided further into key Categories and Subcategories, which produce specific outcomes desired by the organization (such as “organizational communication and data flows are mapped”). These outcomes in turn correspond to examples of existing industry standards, guidelines and practices that are common among critical infrastructure sectors and offer a way to achieve desired outcomes.
  • The Framework Implementation Tiers offer context for an organization to methodically grade its current level of cybersecurity risk and examine whether it is cost effective to reduce those risks in light of business objectives. The tiers range from an ad hoc tier at one end (Tier 1) to the highest “adaptive” tier at the other (Tier 4). These tiers depict a continuum of increasing sophistication in cybersecurity practices and integration with the business.
  • The Framework Profile offers a tool to measure an organization’s current progress in meeting its targets, create a gap profile, and define strategic areas for improvement, taking into account its assessment of specific cyber risks, and the costs of mitigation measures.

NIST plans to continue holding workshops, engaging with stakeholders for additional feedback, and issuing later versions of the Framework.

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.