Late last month, the Federal Trade Commission posted on its business blog an article discussing the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The FTC, which brings data security enforcement actions under its authority to regulate “unfair or deceptive” acts and practices under Section 5 of the FTC Act, explained how the Framework is consistent with its own “process-based” approach to data security. The FTC's discussion of the Framework provides what may be the government's clearest explanation of what the Framework is ‒ and what it isn't ‒ and how companies can use it in evaluating and implementing their own data security measures. And the FTC attempts to answer the oft-asked question of whether "compliance" with the Framework constitutes compliance with the FTC's data security requirements ‒ an interesting endeavor, since there's no way to "comply" with the Framework, and the FTC has not established any data security requirements or standards.