This is the fourth in a series of posts about specific proposals in the recent US cybersecurity report. In this post, we discuss Action Item 1.4.4 — standardized cybersecurity conformity assessments.
Action Item 1.4.4 recommends, "[t]he private sector should develop conformity assessment programs that are effective and efficient, and that support the international trade and business activities of U.S. companies." These "conformity assessments" would signal to third parties that a business had "exercis[ed] diligence with regard to cybersecurity." The Commission’s report recognizes that "[c]onformity assessments conducted by private-sector organizations can increase productivity and efficiency in government and industry, expand opportunities for international trade, conserve resources, improve health and safety, and protect the environment." Identifying the 2014 NIST Cybersecurity Framework as "a good basis for conformity assessment," the report suggests that "conformity assessment[s] . . . could, in part, meet the needs of" private organizations "in demonstrating their effective use of the [NIST] Cybersecurity Framework."
Even if these conformity assessments remain mere best practice—as opposed to regulatory mandate—it is easy to imagine that they might reshape the cybersecurity landscape. For example, insurers may require policyholders to pass conformity assessments before offering coverage. Or commercial counterparties may insist on businesses passing the assessments before sharing data, just like many companies require their commercial counterparties to pass ISO27000-series audits. So it’s worth asking some basic legal and regulatory questions about how these assessments might work in practice:
- What would the "private-sector organizations" entrusted with these assessments look like? How would such assessors themselves be accredited? Would accreditation be the purview of the government or some industry body? If the government legitimates assessors, would companies have a right of legal appeal against adverse findings? If industry legitimates them, would the bodies be subject to regulatory capture?
- Would the assessments be sector-specific, or would one set of assessors and principles apply across the entire economy?
- Would the assessments necessarily cover a whole company—or might they cover just part of a business? If they cover only part of a business, would they cover particular business lines or geographic locations? And if only part of a business is certified, what weight would the exercise have? A small part of a business could be certified—you can theoretically ISO27001-certify a pencil!—even if the rest of the business isn’t secure at all.
- Would the assessments vary at all depending on risk appetite? For example, would you be subject to a lighter assessment if your stakeholders were very comfortable with risk?
- What would be the legal ramifications of having a stamp of approval? Would it preempt liability claims against a company, or at least increase the showing a plaintiff needed to make to state a claim against a company for cybersecurity incidents? Could assessors themselves be sued for negligent assessments?
- Most importantly, what standard would the assessors apply? The Action Item pushes the government’s own NIST Cybersecurity Framework as the gold standard. But would that be the only standard when companies already try to conform to other standards like COBIT 5 and the British Computer Society’s Code of Conduct? Would there be sector-specific overlays, such as the FFIEC’s cybersecurity guidance for financial institutions or PCIDSS for payment card companies? And how would these assessments relate to ISO27000 audits, which are already widely used? Would they supplement these audits or replace them?
These are mostly policy questions for public debate. But there’s an immediate question for private businesses: as noted above, many commercial contracts already require counterparties to submit to cybersecurity assessments, usually ISO27000-series audits. Should companies start writing contracts based on the assumption that these new assessments will someday take hold, and if so, what should those contracts look like?