Sean Field, Special Counsel, reports from on the ground at the first day of the National Institute of Standards and Technology (NIST) Cybersecurity Framework Workshop being held in Gaithersburg, Maryland, USA on 16 May 2017

With claims in the press today that a major new Hollywood film has been stolen before its release and is being held for ransom coming on top of the “Wanna Cry” ransomware creating havoc earlier in the week, it seems appropriate to be gathering at the amazing NIST campus in Gaithersburg, Maryland, USA, to discuss cybersecurity.

Attendees from all over the world are gathered to discuss the first proposed revisions (Version 1.1) to NIST’s Cybersecurity Framework (NIST CSF).

The first day has just wrapped up and there have been some fascinating sessions. Here are some highlights.

We have been suggesting to clients for some time that:

  • the NIST CSF can, together with other relevant cybersecurity standards such as the relevant ISO series, form the basis for a cyber risk assessment to assist in satisfying regulatory and other legal obligations; and
  • the NIST CSF is a useful tool for presenting cybersecurity information to company boards in an informative and accessible way.

So it was interesting to learn today that these approaches are common in US companies and to hear that regulators view such approaches in a positive light.

Last Thursday, President Trump signed his much anticipated Cybersecurity Executive Order (EO), mandating compliance with the NIST CSF for Federal agencies.

Although compliance with or application of the NIST CSF are not mandated by law for the private sector in the US, the NIST CSF has long been regarded as having de facto regulatory status and the new cybersecurity EO underlines its importance.

The Australian Government has not as yet mandated any particular cybersecurity standards, so it will be interesting to see if it follows the US Government’s lead in this area.

Here’s a quick wrap up of some other themes from today’s proceedings:

  • cybersecurity efforts require the assembly of an integrated team with expertise across all relevant disciplines (including ICT, security, finance, law, privacy and human resources);
  • the NIST CSF can assist in cybersecurity expenditure planning by identifying where funds are currently being spent; this can help to indicate whether there is an over-emphasis on re-active spending (the “Respond and Recover” functions of the NIST CSF “Core”), suggesting more needs to be done on the preventative side (“Identify and Protect”) of the ledger;
  • among the key changes proposed for version 1.1, new material regarding supply chain risk will be added; this risk varies by organisation but as an example, supply chain risk can arise in a cloud outsourcing where the prime contractor engages subcontractors, third parties and agents in other jurisdictions;
  • another proposed new section for version 1.1 deals with risk management metrics and measures; such metrics and measures permit analysis of the degree to which cybersecurity policies and objectives are successfully achieved and allow for objective measures of success to be included in Board communications.