Having failed to obtain Congressional action on mandatory cybersecurity legislation, on February 12th the White House issued the final version of its Framework for Improving Critical Infrastructure Cybersecurity. The cybersecurity framework was developed by the National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce as the result of Executive Order 13636. While designed to be “voluntary” standards and best practices to help organizations manage cybersecurity risks, companies operating in critical infrastructure industries and other industries regulated by the Federal Government should begin now to adopt these standards to their activities, since the likelihood is great that federal regulatory agencies will begin to impose these standards on their industries in the near future. Even for industries not subject to pervasive federal regulation, persons and entities harmed by cybersecurity breaches are likely to argue that companies not meeting these standards failed to apply reasonably expected, de facto baseline data security standards.
The Framework has three components: the Framework Core, the Framework Implementation Tiers, and the Framework Profile.
The Framework Core is essentially a reference tool for organizations to identify best practices in cybersecurity risk management. It is divided into five broad cybersecurity Functions: Identify, Protect, Detect, Respond, and Recover. These are further broken down into Categories, Subcategories, and Informative References, which set forth specific outcomes that an organization may wish to achieve, e.g. protection against data leaks or detection of malicious code, and the corresponding Informative References provide standards and guidelines that illustrate methods for achieving the desired outcomes.
The Framework Implementation Tiers provide a mechanism by which organizations can measure their overall cybersecurity risk management level. There are four Tiers increasing in rigor and sophistication from Tier 1 (Partial) to Tier 4 (Adaptive). Each Tier consists of three factors: Risk Management Process, Integrated Risk Management Program, and External Participation. The Framework instructs organizations to determine their current and desired Tiers, ensuring that the desired Tier represents a feasible and cost-effective goal. Progression to higher Tiers is encouraged, but it is not required for successful implementation of the Framework.
The Framework Profile is used to measure successful implementation of the Framework. Use of the Profile tool begins with the construction of a “Current Profile” consisting of the cybersecurity outcomes that the organization is achieving, as defined in the Categories and Subcategories of the Framework Core. The organization then conducts a risk assessment, and builds a “Target Profile” describing its desired cybersecurity outcomes. After determining the gaps between its Current and Target Profiles, the organization develops and implements a “prioritized action plan” to address and close those gaps.
While the Framework offers only minimal guidance as to what outcomes should be included in the Target Profile, it is predictable that regulatory agencies, federal government customers, and courts will begin to fill in the specifics as to what standards entities are expected to meet, depending on the risks, costs, and potential harm involved. Given the likelihood that it will become at least a baseline for expected cybersecurity protections, companies should begin now to consider how to incorporate the Framework into their existing cybersecurity risk management programs.