The National Institute of Standards and Technology (“NIST”) has released the final version of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). The Framework was developed by NIST at the direction of President Obama’s February 12, 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (the “Executive Order”).
The Framework largely retains the structure and components of the preliminary version of the Framework (a discussion of which can be found here), including (i) the Framework Core, (ii) the Framework Implementation Tiers, and (iii) the Framework Profile. The Framework omits Appendix B of that preliminary version, the “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program.” The preliminary version’s Appendix B incorporated references to the Fair Information Practice Principles, and became a lightning rod for industry commentators.
Consistent with the Executive Order, the Framework asserts that its use by critical infrastructure is voluntary. Section 10 of the Executive Order may prove otherwise. That section instructs agencies with responsibility for regulating the security of critical infrastructure to perform a gap analysis between the Framework and current cybersecurity regulatory requirements. These agencies have ninety (90) days from the release of the Framework to propose “prioritized, risk-based, efficient, and coordinated actions . . . to mitigate the risk.” This analysis could very well lead to regulatory adoption of the Framework in various industries.