At a glance: cybersecurity best practices in USA

Best practice

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

While the National Institute of Standards and Technology (NIST) Cybersecurity Framework is voluntary and aimed at critical infrastructure, it has evolved into a de facto standard for organisations and has inspired other sets of cybersecurity guidelines. The Federal Financial Institutions Examination Council adapts the NIST framework to financial services, and the Cybersecurity Maturity Model Certification (CMMC) provides a standard for the defense-industrial base, which is consistent with the NIST framework.

The NIST Cybersecurity Framework provides guidance to help organisations manage cybersecurity risks and is organised around an assessment of the five ‘functions’ of an effective cybersecurity programme:

• identification – the capacity to identify and understand organisational cyber risks;
• protection – the development and implementation of appropriate safeguards to secure critical infrastructure;
• detection – the activities and capabilities to detect cybersecurity intrusions and attempted intrusions;
• response – the capability to react and respond to a detected cybersecurity incident; and
• recovery – the activity of planning for resiliency and the capability to maintain or restore services that are impaired by a cybersecurity incident.

How does the government incentivise organisations to improve their cybersecurity?

Although authorised under Executive Order by President Obama, the United States does not overtly use government incentives (grants, tax credits) to persuade companies to improve cybersecurity systems. President Biden’s Executive Order has recently made clear that access to federal contractors will depend on private companies being able to comply with federal cybersecurity standards, and this approach has long been to incentivise federal defence contractors.

A number of states, including Maryland, offer tax credits to qualifying small companies who purchase cybersecurity technologies from companies providing cybersecurity technologies or services.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework;
• Payment Card Industry’s Data Security Standard (PCI-DSS): https://www.pcisecuritystandards.org/;
• Cybersecurity and Resiliency Observations: https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf;
• Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of; and
• Cybersecurity Maturity Model Certification: https://www.acq.osd.mil/cmmc/.

Are there generally recommended best practices and procedures for responding to breaches?

 Several agencies have produced guidelines – from comprehensive manuals to a single web page – that can be valuable when engaging in incident response. For example, the Federal Trade Commission has published a useful data breach response guide geared toward businesses and provides a separate resource for complying with its health breach notification rule. The Computer Crime and Intellectual Property Section of the Criminal Division in the US Department of Justice released a revised version of its Best Practices for Victim Response and Reporting of Cyber Incidents and the Cybersecurity & Infrastructure Security Agency has developed a series of cybersecurity incident and vulnerability response playbooks.

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

 Since 2018, the Cybersecurity and Infrastructure Security Agency has led efforts to coordinate the US approach to cybersecurity as well as government outreach to private companies. Many private companies participate in Information Sharing and Analysis Centers or Information Sharing and Analysis Organisations, which share threat intelligence, including from government sources. The Department of Homeland Security (DHS) has instituted a Cyber Information Sharing and Collaboration Program, through which it shares unclassified threat intelligence information via public-private networks in the critical infrastructure sector. The United States Computer Emergency Readiness Team provides national threat intelligence and works to assist critical infrastructure in responding to cybersecurity threats. The DHS also operates an Automated Indicator Sharing capability that shares real-time threat indicators and defensive measures.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government and private sector cooperate in developing regulatory cybersecurity standards through an informal notice-and-comment rulemaking process. Federal and state agencies use notice-and-comment rulemaking procedures for most rulemaking actions, including when creating new administrative regulations or repealing existing regulations.

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance obtainable for most organisations? How common is it?

Insurance for cybersecurity incidents, which can help cover the costs of responding to a major security incident, is available in the United States and has become increasingly common for large companies with significant consumer information. Such coverage has become more difficult to obtain in adequate amounts at reasonable prices due to the rise in ransomware, and the Department of Treasury is studying whether a federal insurance programme would be prudent.