On February 12th, the U.S. National Institute of Standards and Technology (NIST) unveiled version 1.0 of its voluntary Framework for Improving Critical Infrastructure Cybersecurity (Framework). The Framework was developed at the direction of President Obama’s Executive Order 13636 and designed to assist critical infrastructure (e.g. financial, energy, and health care sectors) guard against cyber threats.
Framework 1.0 Update
The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers – combined, the parts provide a foundational structure for managing cybersecurity risk. The Framework incorporates public feedback on the earlier NIST Preliminary Cybersecurity Framework (Preliminary Framework) published last year.
One significant change to the Framework was the removal of Appendix B titled, “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program”. Commentators in industry and academia criticized Appendix B for being, “too prescriptive and costly and thus a deterrence to adoption of the Framework”. Appendix B has now been replaced with Section 3.5 of the Framework that succinctly describes a general set of considerations and processes. Section 3.5 recognizes that organizations may approach privacy and civil liberty considerations through a multiplicity of technical solutions rather than those prescribed in the former Appendix B. Apart from this amendment, the Framework has not materially changed. A more detailed overview of the Framework can be found in our earlier post on the Preliminary Framework.
NIST Roadmap for Improving Cybersecurity
As a companion to the Framework, NIST published a roadmap (Roadmap) that provides insight into its future plans for the Framework. The Roadmap reveals that NIST intends to transition the governance of the Framework to a non-governmental organization, but expects to remain the “convener and coordinator” of the Framework until at least version 2.0. The Roadmap also cites areas for improvement such as: the development of better authentication solutions, the alignment of the existing Federal Information Processing Standards with the Framework, and the advancement of technical privacy standards and best practices.
Cyber Community C3 Voluntary Program
In addition to the release of the Framework, NIST announced the launch of the Critical Infrastructure Cyber Community C3 Voluntary Program (C3 Program), a partnership between the Department of Homeland Security and the critical infrastructure community. The objective of the C3 Program is to encourage and support the use of the Framework. In the coming year, the C3 Program will be focused on discourse with Specific-Sector Agencies that include, among a list of 16 sectors, financial services, healthcare and public health, information technology, and communications sectors.
While the Framework is voluntary, NIST is highly influential. The Framework has the potential to become a de facto cybersecurity standard. With the U.S. Federal Government’s increasing emphasis on cyber risk preparedness, the Framework may well become a requirement for conducting business with U.S. federal agencies. If so, many private U.S and multi-national providers will face a strong impetus to adopt the Framework. NIST plans to engage foreign governments and entities to advocate for the broad international adoption of the Framework. As such, Canadian firms will benefit from familiarizing themselves with the Framework.
At the very least it will likely provide a common set of terms and language for discussing cybersecurity within industry and government. For example, the Framework could serve as a useful complement for financial institutions and suppliers addressing the OSFI Cyber Security Self-Assessment Guidance (OSFI Guidance) released on October 28, 2013. While the OSFI Guidance is high-level and descriptive, the Framework is significantly more detailed and prescriptive and includes many globally accepted standards and best practices.