In the past week, both the White House and Senate have taken some notable steps on cybersecurity. Both sets of developments largely relate to the Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST) pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
On July 30, the Senate Committee on Commerce, Science, and Transportation unanimously approved the Cybersecurity Act of 2013, sponsored by Senators Rockefeller (D-WV) and Thune (R-SD). The bill, first introduced on July 24, would codify the process by which NIST is charged with developing a Cybersecurity Framework. The bill would require NIST to, “on an ongoing basis, facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure”—largely tracking the language used in the Executive Order to guide NIST’s creation of the Cybersecurity Framework already under development. The bill further emphasizes, however, that NIST should “coordinate closely and continuously” with the private sector in developing the Framework. The Cybersecurity Act also includes measures designed to spur cybersecurity research and development, education, and public awareness. The bill did not include measures relating to information-sharing programs or new SEC disclosure requirements, despite significant attention to these topics by Senator Rockefeller.
On August 6, the White House released a statement regarding the “Incentives to Support Adoption of the Cybersecurity Framework.” The Executive Order required the Departments of Homeland Security, Commerce, and Treasury to make recommendations to the President regarding incentives designed to promote Framework adoption, including incentives that would require further legislation to achieve. The White House statement links to the three agencies’ recommendations and summarizes eight areas where the White House identified commonalities across the agencies’ reports:
- Cybersecurity Insurance: Collaborate with the insurance industry to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”
- Grants: Use Framework adoption as a condition or weighted criterion for grants.
- Process Preference: Expedite government services such as technical assistance (outside of the incident response context) based on Framework adoption as a secondary criterion for prioritization.
- Liability Limitation: Consider reduced tort liability, limited indemnity, lower burdens of proof, or creation of a federal legal privilege preempting state disclosure requirements.
- Streamline Regulations: Eliminate overlaps between Framework adoption and existing laws and regulations.
- Public Recognition: Consider optional recognition of Framework adoptees.
- Rate Recovery for Price Regulated Industries: Consider allowing utilities to recover for cybersecurity investments related to Framework adoption.
- Cybersecurity Research: Spur research and development where commercial solutions do not exist to implement Framework areas
Both Commerce and Treasury recommended against tax incentives. And while Treasury recommended further incentives regarding expedited security clearances, Commerce recommended against such measures.
In the meantime, NIST has been actively developing the Framework. On July 1, NIST published a draft outline of the Framework. NIST has also announced that it expects to publish in August a Draft Preliminary Cybersecurity Framework for stakeholder review and input. And in September, NIST will hold its fourth and final Framework workshop, which will focus on the August draft and other topics to be announced. NIST then expects to publish the Preliminary Framework for formal public comment on October 10.