On Friday, October 10th, an opportunity to submit comments on a Request for Information concerning awareness and implementation of the “Framework for Improving Critical Infrastructure Cybersecurity” closes. Companies of all sizes and sectors should pay attention to the resulting conclusions from the National Institute for Standards and Technology (NIST).
While NIST has reiterated the voluntary nature of the Framework, the definition of “critical infrastructure” is sufficiently broad as to cover most industry sectors, ranging from utilities to healthcare and medical devices. There is also a skepticism from the private sector that it will evolve to a de facto standard of care. Most companies should have an interest in monitoring the content of the Framework and particularly the determination of compliance criteria because over time it is likely that the Framework will be deemed a benchmark for security.
The official task of NIST in the context of cybersecurity is for the consolidation and evaluation of standards and practices that are then considered guidance for securing data in the federal government. The Framework was initiated pursuant to an Executive Order with the goal of reducing cyber risks to the country’s infrastructure, and it expands upon NIST’s extensive series of publications regarding data safeguards. By focusing on the nation’s infrastructure, NIST has a broader need to solicit contributions from the private sector as to what approaches are realistic. The recent RFI, then, presented nearly two dozen questions and expressly invited parties to address topics outside the listed questions.
The NIST Framework should be of interest to those across industry sectors in part because of the potential future regulatory consequences. In the absence of broad private sector equivalents, the standards and guidance that NIST produces have increasingly been referenced as a standard of care. That is, if an organization’s security measures diverge from NIST’s “good practices” the firm may need to demonstrate the value or applicability of the variation in order to mitigate criticism, enforcement or liability. This is especially so as state breach notification rules and federal regulators such as the SEC focus on self-reporting of events impacting personal information and proprietary assets.
The topic of liability exclusions or safe harbor mechanism are outside NIST’s bailiwick, but NIST has included content and questions about how an organization is to be deemed “compliant” with the Framework. NIST has said that discussion on such “conformity assessments” will continue. Companies should pay close attention to both the substantive safeguards and these conformance criteria, as they provide an opportunity for all participants to voice an opinion on the means, carrots and sticks for protecting the country’s critical infrastructure.
Interested parties have until 5p ET on October 10, 2014, to submit comments and all comments submitted should be publicly accessible in due course.