On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.
The Framework was prepared by the National Institute for Standards and Technology (NIST), which solicited and incorporated input from the private sector, government agencies, and the privacy and security community. The Framework is intended to embody existing “best practices” rather than to establish new standards. President Obama praised the Framework, as “highlight[ing] the best practices and globally recognized standards so that companies across our economy can better manage cyber risk.” According to the White House, the Framework can serve as a cybersecurity roadmap for all companies, and “[f]or organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks.” The President also stated that “[w]hile I believe that today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity.”
Significantly, Senator Rockefeller stated that the Framework “should become an essential touchstone, not just for critical infrastructure operators, but for all companies and government agencies that need to protect their systems and their data.” The business community appears to be generally supportive of the new Framework. For example, AT&T CEO Randall Stephenson was quoted as saying that his company would use the Framework as baseline requirements for its suppliers and partners, and that “[a]ny large company that isn’t imposing cybersecurity standards” on service providers “has a vulnerability that they’re missing.”
We recommend that all companies—especially but not limited to those owning or operating critical infrastructure—review their cybersecurity and information security protocols and assess their practices (and those of their service providers) in light of the new Framework. All companies may be under added scrutiny given the recent spate of data breaches and heightened attention to cybersecurity incidents. Inevitably, sector-specific regulatory agencies, the Federal Trade Commission and courts of law will look to the Framework for guidance on the reasonableness and/or adequacy of a company’s information governance protocols and internal controls.
In sum, we believe that all companies should use the new Framework as a basis to focus attention, responsibility and accountability for cybersecurity within their organizations. We recommend that CEOs, General Counsels, risk management executives, and corporate directors actually read the Framework; it is written at a level intended to be fully accessible to non-technical, senior executives.
The Cybersecurity Framework
Executive Order 13636, issued by President Obama in February 2013, required NIST to develop the Framework. NIST worked with critical infrastructure members in the private sector and government to identify standards common across critical infrastructure entities and design assessment tools to tailor implementation to particular sectors and measure compliance.
The White House noted that the Framework provides basic first steps for companies that lack a cybersecurity program, and that for companies with existing, advanced programs, it offers a concrete method to communicate with executive boards and third party suppliers to further integrate security practices.
President Obama announced that the Framework marked a “turning point” but that “much more work needs to be done to enhance our cybersecurity.” In particular, the President called on Congress to pass cybersecurity legislation that would add enforcement authority and incentives for compliance with cybersecurity standards.
The Framework—which is largely similar to earlier drafts—is built on three components. First, the Framework Core identifies five concurrent functions common across all critical infrastructure entities. All entities should develop the ability to: (1) identify cybersecurity risks and vulnerabilities; (2) protect critical infrastructure assets; (3) detect the occurrence of a cyber event; (4) respond to a detected event; and (5) recover from a cyber event.
Second, the Framework Tiers characterize an entity’s cybersecurity practices from partial (Tier 1) to adaptive (Tier 4) compliance. The Tiers are used to assess compliance with the Framework standards and legal and regulatory obligations, and to determine resource allocation.
Third, the Framework Profile aligns the Core’s standards with the particular needs and practices of an implementation scenario. Companies can compare their current cybersecurity profile with their target profile to assess necessary steps to strengthen security.
One significant change from earlier drafts is that the Framework scaled back inclusion of distinct privacy protections. Earlier drafts had detailed concrete steps to protect privacy in efforts to improve cybersecurity, but industry and others criticized the drafts of a free-standing privacy appendix as too prescriptive. Backing away from this approach, the final Framework states that companies should “consider” data minimization practices, use limitations, individual consent and redress for adverse impacts, data quality and integrity protections, and transparency in information collection and use. As noted below, however, companies should expect future iterations of the Framework to detail privacy protections and limit collection and use practices.
Partnership Between Government and Private Sector
Coordinated with the Framework’s release, the Department of Homeland Security unveiled the Critical Infrastructure Cyber Community (C³) (pronounced “C cubed”) Voluntary Program to increase awareness of the Framework, assist compliance, and improve information sharing between government and the private critical infrastructure sector. The C³ program aims to be the central coordination point for the voluntary implementation of the Framework across the private sector to streamline communication with federal, state, and local government. Feedback on implementation efforts will be shared with NIST to refine the next iteration of the Framework.
Pressures to Comply
Though the Framework is voluntary, companies may soon be pressured to comply. Providers of cybersecurity insurance may condition coverage on compliance with the Framework. Plaintiffs in data breach proceedings may allege negligence for failure to comply. The Federal Trade Commission and state Attorneys General may use the Framework as a baseline when determining whether an entity conducted itself in a way that could be construed as an unfair or deceptive trade practice. Government grants and awards may condition satisfaction on compliance. And the C³ program may condition access to valuable threat information on participation in the program. Further, cybersecurity legislation may ultimately require compliance and offer incentives—like limitations on liability—for companies that implement the Framework.
The Road Forward
Charting the Framework’s next steps, NIST also published a Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). The Roadmap noted that the Framework is intended to be a “living document” that will be modified and updated as companies undertake compliance. NIST will begin developing version 2.0 and may ultimately transfer responsibility for the Framework to a non-governmental organization.
The Roadmap identified several key areas for improvement in critical infrastructure cybersecurity, including:
- Authentication: improve authentication mechanisms commonly exploited;
- Indicator Sharing: develop indicator information for timely and actionable cyber threat detection and response;
- Data Analytics: take advantage of the promise of analytic tools applied to big data sources to predict trends and assess weaknesses;
- International Engagement: work with foreign governments and international companies to integrate compliance standards around the world;
- Supply Chain Risk Management: integrate cybersecurity standards across vulnerable supply chains;
- Technical Privacy Standards: design a privacy risk management model, privacy standards, and supporting privacy metrics.
Though the current Framework downplayed privacy compliance, companies should expect the next iteration to focus on privacy best practices and technical standards. The Roadmap noted that achieving consensus on privacy has been difficult. Significantly, it criticized the shortcomings of the Fair Information Practice Principles (FIPPs) as “process-oriented” and inadequate to provide “specific technical standards” for privacy risk management. NIST will host a privacy workshop in the second quarter of 2014 to move beyond FIPPs and begin developing these new privacy technical standards.