On February 12, 2014, the National Institute for Standards and Technologies (NIST) published its first complete version of its Framework for Improving Critical Infrastructure Cybersecurity. The Framework was published exactly one year to the day after President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”
Federal agencies (for whom the Framework is mandatory) and private owners and operators of critical infrastructure can now begin to consider whether to formally implement the Framework. While the Framework has generally been well received in principle, the critical question—whether the Framework will truly lead to meaningful improvements in cybersecurity risk assessment and resilience across organizations and sectors— will only be answered as federal and private organizations begin to use the Framework in real time. A number of questions that were raised throughout the Framework development process are certain to persist in the coming months and years as organizations begin work on adoption. How such questions are answered could bear significantly on whether the Framework is ultimately successful. Those questions include:
- Despite NIST’s original intentions, will the Framework become a set of minimum cybersecurity practices that all organizations – or all owners and operators of critical infrastructure – must undertake?
- Will private organizations formally adopt the Framework given concerns about potential liability and lack of adoption incentives?
- How effectively will the Framework improve cybersecurity practices if the appropriate level of implementation is defined by each organization?
- How will the effectiveness or success of the Framework be measured?
The Completed Framework
For the most part, NIST made only superficial descriptive and organizational changes to the completed Framework from its Preliminary Framework, issued on October 22, 2013. The Framework’s fundamental components, as described in our prior client alert on the Preliminary Framework, remain the same.
In brief, the Framework comprises:
- The Framework Core: A matrix of “activities, desired outcomes and applicable references” at increasing levels of specificity for evaluating and improving an organization’s cybersecurity practices.
- Implementation Tiers: Categories to describe “the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.”
- Profiles: Descriptions of an organization’s cybersecurity program mapped onto the various categories and subcategories to evaluate the organization’s current and desired states of implementation; the Framework calls for organizations to develop both a “Current” Profile to describe its initial state of implementation and a “Target” Profile to describe its desired state.
The completed Framework contains two particularly notable changes from the Preliminary Framework. First, the Preliminary Framework added language not contained in prior drafts that “[O]rganizations should have at least basic capabilities implemented in each of [the five core Functions].” The completed Framework removes this language and does not explicitly state that organizations need any particular level of implementation of the five Functions to adopt the Framework. The decision to include or remove this language may be somewhat superficial—in reality, it would seemingly be hard to claim that an organization had a viable cybersecurity program where it took absolutely no action to Identify, Protect, Detect, Respond or Recover. Still, NIST may have ultimately decided not to include this language in order to quell fears that, despite NIST’s stated intentions, the Framework will evolve into a set of minimum requirements that all owners and operators of critical infrastructure.
Second, whereas the Preliminary Framework contained its “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program” in an appendix to the Framework, the completed Framework moves its discussion of privacy and civil liberties into the body of the Framework itself. That might signal an effort by NIST to encourage adopters continuously to incorporate privacy and civil liberties considerations in their implementation processes, rather than treat those considerations as a separate process or afterthought. At the same time, however, the final framework pares down and generalizes its discussion of privacy and civil liberties. NIST will host a two-day “privacy engineering” workshop at its headquarters on April 9-10, 2014, which may provide more insight into how it anticipates adopters may integrate privacy and civil liberties into cybersecurity.
“Framework 1.0” and NIST’s “Roadmap”
Although the Executive Order references a “final Framework,” NIST has stressed throughout the development process that it is publishing “Framework 1.0.” In other words, while NIST envisions this Framework to be a completed, user-ready document, it intends to publish improved versions of the Framework in the future based on industry experience, further research, etc. NIST has described the Framework as a “living document.”
To facilitate further development, NIST has published a “Roadmap” laying out its next steps and identifying areas for improvement. NIST’s areas for improvement include:
- Authentication: Helping to develop better authentication tools, standards and practices;
- Automated Indicator Sharing: Working to develop improved standards and mechanisms for sharing cybersecurity incident indicators across different types of organizations with different systems;
- Conformity Assessment: Promoting the use and development of existing conformity assessment programs, which could be used in order to development of a Framework Profile;
- Cybersecurity Workforce: Promoting efforts to raise cybersecurity awareness and helping to identify workforce needs and improve cybersecurity training and education;
- Data Analytics: Assisting with efforts to use big data to better analyze and understand cybersecurity risks and needs;
- Federal Agency Cybersecurity Alignment: Identifying areas of alignment between existing federal cybersecurity standards and the Framework and identifying gaps where the Framework can be used to improve those standards;
- International Aspects, Impacts, and Alignment: Seeking areas of alignment with international practices and standards and assisting stakeholders with international engagement efforts;
- Supply Chain Management: Facilitation Framework adoption to supply chain systems and identifying challenges to adoption; and
- Technical Privacy Standards: Facilitating the development of technical privacy standards that are designed to fit into the planning and build of a cybersecurity program and which comport with the Framework’s risk management approach.
NIST’s work on some of these areas of improvement may highlight the tension—ongoing throughout the Framework’s development—between the Framework as a flexible process document and the Framework as a set of de facto minimum standards. NIST has insisted throughout the development process that the Framework is only the former, including by removing the “basic capabilities” language added in the October version of the Preliminary Framework. NIST has avoided explicitly incorporating even the most basic and common security measures into the Framework as “requirements” or “minimums.” But NIST’s work in developing specific authentication and technical privacy standards might raise the question of whether minimum standards always can or should be avoided. Certain authentication and privacy practices, for example, might be so basic and universal that they are essentially required.
Critical Infrastructure Cyber Community
Concurrent with the publishing of the Framework, the Department of Homeland Security (DHS) announced the creation of the Critical Infrastructure Cyber Community, or C3 (pronounced “C-cubed”). C3 has three main goals: (1) to support adoption and use of the Framework, including by providing information, tools, guidance and resources to adopters; (2) to facilitate outreach and communication to promote use and support of the
Framework; and (3) to solicit and gather feedback about the Framework, and communicate that feedback to NIST for use in further improvement efforts.
To help support adoption and use of the Framework, DHS has aligned some of its existing cybersecurity resources with the five core Functions for use through C3. One such resource is DHS’s Cyber Resilience Review (CRR), which provides a no-cost, voluntary assessment of an organization’s cybersecurity resilience, conducted either as a self-assessment or by DHS cybersecurity staff. DHS has mapped various questions and items from the review onto the elements of the Framework, so that the review can be used as a method for determining an organization’s success in adopting certain Functions or Categories.
Incentives Process “Ongoing”
The Executive Order also directs the Secretary of DHS to develop a system of incentives to promote adoption of the Framework. Since the order was issued, there has been a considerable amount of debate and speculation concerning what the incentives could be and how they would be provided. Despite the release of the completed Framework, however, DHS has yet to announce any formal incentives program and states that development of such a program is “ongoing;” no timing yet on when the incentives will be issued. A number of significant hurdles exist to the creation of significant incentives, principally that the most attractive incentives, such as liability limitations for adopters, require congressional action. Other possible incentives, for example, preferences in government contracting, would seemingly clash with existing rules and could be harder to implement fairly given that adoption of the Framework depends on an organization’s own assessments of its cybersecurity risks and needs.
Although NIST has released its completed Framework, many questions about its impact and influence have yet to be answered. It is unclear whether a significant number of owners and operators of critical infrastructure will adopt the Framework, and whether adoption improves cybersecurity practices generally. The White House Cybersecurity Coordinator has been campaigning for owners and operators of critical infrastructure to “kick the tires” of the Framework and provide feedback on what needs to be updated or improved. The more feedback NIST gets, the more successful the administration may judge this first Framework effort.
It also remains to be seen whether the Framework remains only a process-oriented document or whether it eventually comes to include certain minimum standards. Ultimately, NIST and C3’s work to evaluate and improve the Framework process and its integration with owners and operators of critical infrastructure may help shed light on these questions, as well as inform owners and operators of critical infrastructure as to whether they should consider adopting the Framework themselves.