On February 12, 2014, the Commerce Department’s National Institute of Standards and Technology (“NIST”) released a document entitled “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”). According to the NIST, this Framework is voluntary and was developed through public-private partnership in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, issued by President Obama last year.
Primarily aimed at organizations with critical infrastructure and sensitive information, such as those in the financial, energy, and healthcare industries, the goal of the Framework is to better protect critical information as well as critical physical assets from cyber attacks. The Framework adopts industry standards and best practices to help organizations manage cybersecurity risks “in a cost-effective manner.” In addition to the Framework document, the NIST also released a “Roadmap” document that sets forth the path toward future updates of the Framework. In fact, the NIST has referred to the Framework document (labeled as Version 1.0) as a “living” document that will be updated, as necessary, in response to industry feedback and to keep pace with improvements in technology and new threats.
The NIST emphasizes that the Framework is “technology neutral” and should complement, and not replace, an organization’s risk management process and cybersecurity program. The Framework provides a common taxonomy and method for organizations to accomplish the following:
- describe their current cybersecurity posture;
- describe their target state for cybersecurity;
- identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- assess progress toward the target state; and
- communicate among internal and external stakeholders about cybersecurity risk.
In keeping with the “living” nature of the Framework document, the NIST is expected to sponsor workshops with industry stakeholders over the next six months. These workshops will aim to assist organizations in adopting the Framework as well as to provide a forum where experiences with the Framework are shared and potential refinements identified. As noted above, the Framework is strictly voluntary and the NIST has no enforcement authority. However, Congress could enact legislation that would provide incentives for private entities that adopt the Framework.
The Framework document in its entirety can be downloaded here.