Digital Rights Review

The National Institute of Standards and Technology (NIST), a non-regulatory agency within the Department of Commerce, is responsible for developing technology, metrics, and standards for federal agencies. Although relatively small and unknown by the public, it is a leader in the data protection, cybersecurity, and privacy fields. In recent years, its reach and influence in such fields have begun to extend to the private sector.

Among other duties, NIST promulgates standards and guidelines to ensure government information is secure. These standards are constantly evolving and being updated. For example, in 2013, President Obama issued Executive Order 13636, which instructed NIST to improve critical infrastructure cybersecurity, with "critical infrastructure" including industries vital to the country's economy, security, and health. In short, NIST is, in part, responsible for helping to assess cybersecurity risks to American infrastructure, including, but not limited to, the finance, energy, and healthcare industries and determining what measures can be put in place to prevent major security attacks. Because of the scope of the Order, and the importance of the underlying goal, the requisite NIST standards, referred to as the Cybersecurity Framework, are comprehensive. Moreover, in order to make the first draft of the Cybersecurity Framework as effective as possible, NIST sought advice not only from government actors, but also from the private sector. Since 2013, NIST has held several Cybersecurity Framework workshops with thousands of participants, ranging from members of industry associations and private companies to employees at government agencies. A first version of the Cybersecurity Framework was released in 2014, but NIST frequently updates its standards and guidelines. On January 10, 2017, NIST released a new draft version 1.1 of its Cybersecurity Framework (CSF). Details of the changes can be found in the following Venable Cybersecurity Alert.

While NIST's cybersecurity and privacy guidelines, including the updated Cybersecurity Framework, were created for use by federal agencies, its influence and standards are now seen in the private sector and in many private sector commercial agreements. A recent Gartner study reported that NIST's Cybersecurity Framework is already used by 30% of U.S organizations. This number is expected to rise to 50% by 2020. According to a March 2016 survey by Dimensional Research, 70% of these organizations adopted the framework to align themselves with cybersecurity best practices, 29% were required to do so by business partners, and 28% adopted the framework because of federal contract requirements.

NIST standards are voluntary, but following them can be beneficial for both vendors and clients. First, the standards are flexible and can be adjusted based upon the size of the organization. Therefore, compliance with the standards is not set at a certain higher level for small organizations or at a lower level for large organizations. Additionally, while it is impossible to prevent security breaches altogether, the NIST standards are recognized as providing "adequate security." The standards were intended to help protect highly sensitive government infrastructure and created with input from the private sector. As a result, the NIST standards are viewed as a reasonable approach, which blends well with the reasonableness requirements of many commercial agreements. If a data incident occurs, and the vendor has been following NIST standards, potential damages may be lessened. The NIST standards also represent to date the most comprehensive guidelines for data security, and provide tangible steps to protect data. Therefore, it is easy to reference these standards as minimum requirements in commercial contracts. The customer receives adequate protection, while a widely adopted approach to security is available to the vendor.

While NIST is not universally known or widely viewed as an authority on the creation of industry standards, its security framework is impacting not only federal agencies, but also private industries. With guidance from counsel, private companies can include or reference NIST standards in commercial contracts as a means to address information security.