Advertisement

July 24, 2014

U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Releases Draft Cybersecurity Framework

Last week the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its long-anticipated draft “Preliminary Cybersecurity Framework” (PCF).  This PCF lays out a proposed framework by which both private and public companies that work with “critical infrastructures” may (i) better evaluate cyber-risk, (ii) prepare better defenses against the threat of cyber-attacks, and (iii) prepare focused recovery/remedial protocols in response to any such attacks.

The PCF arises from the President’s February 12, 2013 Executive Order 13636, which called for NIST’s development of a “framework” providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for “critical infrastructure services” to manage cybersecurity risk.  The PCF will commence a 45-day public comment period followed by the PCF’s finalization in February 2014.

The new framework outlined in the PCF sets out specific steps and best practices for all organizations – both public and private, as well as small and large — to implement so as to better protect the U.S.’s critical cyber infrastructure.  The PCF sets out a proposed risk-based approach to combatting cybercrime, and summarizes five basic functions (a so-called “Framework Core”) for cybersecurity protocols: (i) identify, (ii) protect, (iii) detect, (iv) respond and (v) recover.  In addition, Appendix B of the PCF supplies a “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program,” which provides a set of specific privacy considerations outlined using the format suggested in the PCF’s Framework Core.  Set out in detail are various topics/issues along with source materials in connection with each function/category identified in the PCF.  Significantly, the PCF as currently outlined imposes no legally binding regulations or requirements, but is instead grounded on a “voluntary basis” that is to serve as a model process that organizations may conform to their own specific cybersecurity needs and circumstances.

Secondly, the PCF provides for a “Framework Profile,” which is intended to show organizations one approach on how to track cyber threat defense efforts against targeted goals.  This tool can then be used to gauge allocation of resources across larger defense projects.  In short, this suggested tool provides organizations with a simple, yet direct, way by which to self-assess the implementation progress of their risk assessment and defensive/responsive measures.

Finally, the PCF provides for “Framework Implementation Tiers,” which are aimed at assessing the relationships between an organization’s overall risk management functions such as current risk assessment practices, actual threat environment analyses, legal/regulatory requirements, business objectives and organizational restrictions.  These tiers are used to assess the overall level of an organization’s handling of cyber risk – starting at “Tier 1: Partial”, and proceeding up to “Tier 2: Risk-Informed”, then to “Tier 3: Risk-Informed and Repeatable”, and culminating with “Tier 4: Adaptive.”

It is important to note that the PCF is a suggested “means” to the implementation of either (i) an improved and more robust cyber defense program (for those organizations having a current program), or (ii) an initial program (for those organizations lacking one).  It provides organizations with the ability to evaluate its risks and the need (if any) for greater assessment efforts (either qualitatively and/or quantitatively).  While any specific organization’s risk environment and susceptibility to cyber attack will differ from those of other organizations, the risk facing those companies implementing “critical infrastructure” remains high as the incidence of cyber attacks over the last few years continues to escalate.

Thus, it is important for corporate leaders to set cyber defense strategies and facilitate their prompt and efficient implementation.  The model laid out by the PCF provides one such avenue of guidelines and methodologies.  It also signals the growing importance of cyber security issues across the business spectrum, and the need for all companies to seriously assess their vulnerabilities and best ways to reduce those risks, as well as implementing effective procedures by which to handle attacks (and respond thereto with a minimum of business disruption).

It is therefore strongly recommended that all organizations utilize some form of cyber risk assessment and analysis – whether or not it is the formulation outlined in the PCF — to correctly position themselves against the threat of cyber infrastructure attacks – whether or not their systems are “critical.”

However, it is important to note that although the proposed framework is indeed voluntary, it does pose a risk that in “suggesting” the widespread adoption of certain industry practices, NIST is also providing private litigants and regulators with a means by which to bolster their efforts to induce critical infrastructure operators to adopt certain security practices as outlined in the framework.  Indeed, the framework as ultimately adopted next year could also be used by participants in private disputes to establish the reasonableness or unreasonableness of a given company's existing data security strategies and efforts.

©2014 Drinker Biddle & Reath LLP. All Rights Reserved

About the Author

Kenneth Dort Intellectual Property Law Lawyer at Drinker Biddle law firm
Partner

Kenneth K. Dort is a partner in the firm’s Intellectual Property Practice Group and the chairman of the firm's Technology Committee. His practice is focused on information technology and intellectual property law issues, including software development and licensing, systems development and integration, data encryption and security, trade secret protection, and patent/copyright/trademark/ licensing and protection.

Ken has extensive experience handling cases at the trial and appellate levels throughout the United States in areas such as patent, copyright and...

312-569-1458

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.