On February 12, 2014, the Department of Commerce’s National Institute of Standards and Technology released its Framework for Improving Critical Infrastructure (Version 1.0). The Framework is the result of President Obama’s 2013 Executive Order on “Improving Critical Infrastructure Cybersecurity” that called for a voluntary risk-based set of industry standards and best practices to help organizations manage cybersecurity risks. The Framework heralds a new era in cybersecurity – federally endorsed cybersecurity procedures and practices for private industry and organizations. In a nutshell, here’s what you need to know.
How it works: The Framework is designed to complement (not replace) existing cybersecurity programs. It is a risk-based approach to reducing cybersecurity exposure, which consists of three main elements:
Flexible and Scalable: Although ostensibly aimed at financial, energy, health care and other critical infrastructure sectors, NIST explains that the Framework “allows organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.” The Framework recognizes that organizations have unique risks and that they can they can determine which activities are important and prioritize expenditures to maximize the effect of each dollar spent.
Voluntary: Adoption and implementation of the Framework is voluntary. Nevertheless, the consensus standards and best practices may ultimately serve as a benchmark for establishing the standard of care for purposes of legal liability. In the event of a cybersecurity event, liability may turn on whether and the degree to which a company implements the Framework. Moreover, and as noted above, a Target Profile may soon become a way of communicating uniform cybersecurity requirements to providers of essential critical infrastructure services.
Global Reach: The Framework references globally accepted standards, guidelines and practices. As a result, “organizations domiciled inside and outside of the United States can use the Framework to efficiently operate globally and manage new and evolving risks.” NIST notes that the Framework “will discourage balkanization caused from unique requirements that hamper interoperability and innovation, and limit the efficient and effective use of resources.” Consequently, implementation of the Framework may ultimately improve efficiency and reduce costs for cross-border transactions and relationships.
Privacy and Civil Liberties: As required by the Executive Order, the Framework provides a short description of a methodology to protect privacy and civil liberties. In that regard, the Framework only provides a “general set of considerations and processes” as these concerns may differ by sector or over time and organizations may use varying processes to address these concerns. Generally, the Framework indicates that in appropriate circumstances, a cybersecurity program might incorporate certain privacy principles. Among other things, an organization may consider whether various processes are in place to ensure compliance with privacy laws, regulations, Constitutional requirements and the organization’s privacy policies.
Incentives for Implementation: President Obama’s Executive Order also called for establishment of a set of incentives designed to promote participation in the cybersecurity program. The process of identifying the incentives is still underway, but the White House has already previewed some possibilities. At the top of the list is Cybersecurity insurance. A White House spokesperson explains that the goal of collaborating with the insurance industry “would be to build underwriting practices that promote the adoption of cyber-risk reducing measures and risk-based pricing and foster a competitive cyber insurance market.” This highlights the importance of insurance in managing cyber-related risks. Moreover, availability and premiums for coverage may very well depend on an organization’s Implementation Tier and Profile.
Future Developments: The Framework is intended to be a “living document” and as such will continue to evolve over time. In that regard, NIST released a “Roadmap” that “lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration.” Some of the high-priority areas for future activities include: better identity and authentication solutions; automated sharing of indicator information; leveraging existing conformity assessment programs; secure application of "big data" analytic techniques; determine the key challenges to supply chain risk management to enable more effective Framework implementation; and improvements in the protection of individuals’ privacy and civil liberties while securing infrastructure.
If you have any questions about the content of this privacy alert, please contact Nick Nierengarten at 612.632.3040 or firstname.lastname@example.org.
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a 180-plus attorney, full-service firm with offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.