On February 12, 2014, the Obama administration released the "Framework for Improving Critical Infrastructure Cybersecurity" (the "Framework"), a voluntary cybersecurity framework developed by the National Institute of Standards and Technology ("NIST") in collaboration with a large number of groups and individuals from both the public and private sector.1 This occurred exactly one year after President Obama signed Executive Order 13636 for "Improving Critical Infrastructure Cybersecurity,"2 which directed NIST and other federal agencies to work with the private sector to develop voluntary cybersecurity standards for private companies that operate "critical infrastructure," physical or virtual systems and assets so vital to the U.S. that their incapacity or destruction would have a debilitating impact on security, the economy, public health or safety.3 The Framework outlines existing best practices and standards commonly used among banks, utilities and other critical infrastructure providers and "provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs."4 The Framework is technology and industry neutral and intended to complement, not replace, an organization’s risk management process and cybersecurity program by providing tools to identify gaps in its practices and develop a roadmap for continuous improvement. For organizations without a program in place, the Framework is intended to provide a foundation to design and implement a cybersecurity program.
The Framework is comprised of three primary components: the Framework Core, the Framework Implementation Tiers and the Framework Profiles. The Framework Core sets forth cybersecurity activities that are commonly employed across critical infrastructure sectors to achieve specific outcomes and provides examples of existing standards to facilitate implementation of those activities. The Framework Core addresses five basic functions to be included in an organization’s cybersecurity risk management program:
- Identify – understanding systems, engaging in risk assessment and asset management
- Protect – developing safeguards for delivery of critical infrastructure services (e.g., training, data security and access control)
- Detect – performing detection and monitoring activities to identify cybersecurity events
- Respond – creating action plans for responding to and mitigating cybersecurity events
- Recover – restoring damaged capabilities and making improvements after an incident
The Framework Implementation Tiers allow an organization to classify the extent to which its cybersecurity risk management practices are rigorous and sophisticated (e.g., repeatable, adaptive and risk and threat aware), informed by business needs and integrated into its overall risk management practices, on a four-point scale from "partial" to "adaptive." The Framework Profiles provide a mechanism to create "profiles" that reflect the overall state of cybersecurity risk management, including the alignment of cybersecurity activities with business requirements, risk tolerance and resources. An organization may create a "current" profile, a snapshot of an organization’s existing cybersecurity practices, as well as a "target" profile, reflecting the desired state of its practices in the future. Organizations may compare these profiles to identify gaps and provide a roadmap for migrating to the "target" state.
Most importantly, the Framework is labeled Version 1.0; it is conceived as a "living" document that will be updated in response to ongoing feedback and changing technology and risks.5 It recognizes that cybersecurity is a rapidly evolving field and it is essential that it does not "freeze" security standards and activities at a point in time. NIST has released a companion "roadmap" to the Framework outlining its plans for future development and further collaboration.6 Technical privacy standards are included in this roadmap as one key area of development. The Framework provides a general methodology to address privacy implications of cybersecurity operations, such as the over-collection or retention of personal information or disclosure of information unrelated to cybersecurity activities. The Framework recommends that companies consider incorporating into their cybersecurity programs privacy principles such as data minimization, transparency and use limitations, and accountability and auditing. NIST plans to host a privacy workshop and seeks to develop more specific privacy technical standards and best practices to be incorporated into the Framework.
Cybersecurity is a matter of critical importance. With the recent spate of high profile hackings and data security breaches, consumer, regulatory and media scrutiny of corporate practices is on the rise. Cybersecurity legislation, however, has trailed what has been happening in the market. It is significant that this initiative was pursuant to an Executive Order. President Obama released a statement supporting the Framework in which he also specifically urged Congress to advance cybersecurity legislation.7 Other private and public sector stakeholders have also noted that further action such as legislation is needed to reconcile inconsistent state laws, to incentivize companies to implement programs that follow the Framework’s principles and to facilitate information sharing between the government and the corporate world.8
In the absence of legislation, the Framework could be used in the context of disputes or enforcement actions as a point of comparison in assessing whether a company's practices are reasonable, or unfair or deceptive. All companies should consider assessing their cybersecurity risk management practices in light of the Framework.