Voluntary But Valuable: Using NIST’s New Cybersecurity Framework

On February 12, 2014, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, or more simply, the Cybersecurity Framework. The Framework is the culmination of a year-long process set in motion by the Obama Administration’s February 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity.” That Order charged NIST with the task of developing voluntary cybersecurity standards for organizations that are considered part of the country’s “critical infrastructure.”

“Critical infrastructure” is defined as “systems and assets, whether physical or virtual, so vital to the United States that incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters.” So, while it doesn’t apply to everyone, it is very broad. When you think “critical infrastructure,” think defense, energy, finance, healthcare, transportation. Odds are, even if an organization doesn’t fall directly within the definition, it does business on a daily basis with an organization that does. More importantly, while technically written for critical infrastructure organizations, the Framework is crafted such that anyone can benefit from its guidance. The bottom line is: everyone needs to know the Framework exists. Going one step further, we should all be familiar with its recommendations and to try to put them into practice.

The ideas in the Framework are not unique and, in fact, they draw heavily on resources that have been available and in use for years. By working with private sector experts and seeking input from thousands of contributors, NIST has organized these resources into a comprehensive, yet user-friendly roadmap that companies can easily follow. It is intended for high-level executives and risk managers. It broadly addresses cybersecurity policies, practices, and goals, but also provides references to dozens of resources for implementing the nitty-gritty of an organization’s security measures. It is designed to complement existing risk management and cybersecurity programs; help assess current cybersecurity posture; identify and prioritize opportunities for improvement; monitor progress towards new targets; and facilitate communication internally and externally about cybersecurity risk.

The Framework consists of three components: (1) the Framework Core; (2) Tiers; and (3) Profiles. The Framework Core provides companies with a series of activities and resources that they can use to manage their risks. The activities are broken down into five key functions:  Identify, Protect, Detect, Respond, and Recover. In other words, identify the risks and vulnerabilities, develop systems to protect against cyber intrusions, detect any such intrusions or cybersecurity events, respond to a breach of security, and recover from the attack.

The Tiers characterize how individual companies view their level of risk and divide companies according to the degree of rigor in their risk management practices. They range from “partial” (Tier 1) to “adaptive” (Tier 4).  The goal is to be adaptive, but the Framework contemplates that everyone has work to do to get there.

In that vein, the Profiles help companies identify where they are and where they want to go in terms of cybersecurity by creating “current” and “target” profiles. Organizations can see how well they align with other entities within their sector, whether they comply with applicable state and federal laws and standards, and how they can maintain industry best practices.  The Framework even offers a helpful seven-step program that an organization can follow to create a new cybersecurity program or improve an existing one.

While the standards are currently voluntary, they will likely becomes the de facto standard of care by which lawyers and regulators will judge all organizations, not simply those who are technically part of the critical infrastructure. Even if a company isn’t considered vital to national security, we all need to be smarter about cybersecurity. To protect the private information of customers, clients, employees, and business partners, and to ensure continuity of company operations, the Framework is an excellent place to start.

Find the Framework here.

About The Author

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Posted in Standards

Leave a Reply

Your email address will not be published. Required fields are marked *


About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs