On February 12, 2014, the White House launched version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). The Framework was developed by the National Institute of Standards and Technology (“NIST”) pursuant to Executive Order 13636, signed by President Obama in February 2013. The Framework was prepared in collaboration with industry stakeholders, and is presented as a guide to aid critical infrastructure companies in establishing and improving their cybersecurity programs.
The Framework closely tracks the draft that was released in October 2013. As with the earlier version, the Framework is still composed of the Framework Core, Profiles, and Implementation Tiers. Each component includes NIST recommendations for how to use and integrate the components and standards into a cybersecurity program.
One major change in the Framework is that the appendix discussing privacy and civil liberties has been integrated into a “Methodology to Protect Privacy and Civil Liberties” in the “How to Use” section of the Framework. Regarding the protection of civil liberties arising from cybersecurity activities, “direct responsibility” is limited to “government or agents of the government.” As to “privacy implications,” the Framework directs organizations to consider how a cybersecurity program “might incorporate privacy principles” such as data minimization, use limitations, individual consent and redress, and accountability. The Framework provides a list of processes and activities that may be considered as a means to address these principles. The announcement of the Framework was accompanied by the release of the NIST Roadmap for Improving Critical Infrastructure Cybersecurity (“Roadmap”). The Roadmap provides a vision of how NIST hopes to improve the Framework overtime.
NIST will also begin the process of developing a privacy risk management model and technical standards. The goal of this process will be to identify and develop technical standards or best practices to mitigate the impact of cybersecurity on individual privacy. To begin this process, NIST will hold a privacy workshop in the second quarter of 2014 that will focus on the advancement of privacy engineering to aid in the development of privacy standards and best practices.