Having failed to obtain Congressional action on mandatory cybersecurity legislation, on February 12th   the White House issued the final version of its Framework for Improving Critical Infrastructure  Cybersecurity. The cybersecurity framework was developed by the National Institute of Standards and  Technology (“NIST”) of the U.S. Department of Commerce as the result of Executive Order 13636.  While designed to be “voluntary” standards and best practices to help organizations manage  cybersecurity risks, companies operating in critical infrastructure industries and other industries  regulated by the Federal Government should begin now to adopt these standards to their activities,  since the likelihood is great that federal regulatory agencies will begin to impose these standards on  their industries in the near future. Even for industries not subject to pervasive federal regulation,  persons and entities harmed by cybersecurity breaches are likely to argue that companies not meeting  these standards failed to apply reasonably expected, de facto baseline data security standards. 

The Framework has three components: the Framework Core, the Framework Implementation Tiers, and  the Framework Profile. 

 The Framework Core is essentially a reference tool for organizations to identify best practices   in cybersecurity risk management. It is divided into five broad cybersecurity Functions:   Identify, Protect, Detect, Respond, and Recover. These are further broken down into   Categories, Subcategories, and Informative References, which set forth specific outcomes that an organization may wish to achieve, e.g. protection against data leaks or detection of   malicious code, and the corresponding Informative References provide standards and guidelines   that illustrate methods for achieving the desired outcomes. 

 The Framework Implementation Tiers provide a mechanism by which organizations can measure   their overall cybersecurity risk management level. There are four Tiers increasing in rigor and   sophistication from Tier 1 (Partial) to Tier 4 (Adaptive). Each Tier consists of three factors:   Risk Management Process, Integrated Risk Management Program, and External Participation.   The Framework instructs organizations to determine their current and desired Tiers, ensuring   that the desired Tier represents a feasible and cost-effective goal. Progression to higher Tiers   is encouraged, but it is not required for successful implementation of the Framework. 

 The Framework Profile is used to measure successful implementation of the Framework. Use   of the Profile tool begins with the construction of a “Current Profile” consisting of the   cybersecurity outcomes that the organization is achieving, as defined in the Categories and   Subcategories of the Framework Core. The organization then conducts a risk assessment, and   builds a “Target Profile” describing its desired cybersecurity outcomes. After determining the   gaps between its Current and Target Profiles, the organization develops and implements a   “prioritized action plan” to address and close those gaps. 

While the Framework offers only minimal guidance as to what outcomes should be included in the  Target Profile, it is predictable that regulatory agencies, federal government customers, and courts  will begin to fill in the specifics as to what standards entities are expected to meet, depending on the  risks, costs, and potential harm involved. Given the likelihood that it will become at least a baseline  for expected cybersecurity protections, companies should begin now to consider how to incorporate  the Framework into their existing cybersecurity risk management programs.