On Wednesday, February 12, the White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs. It is accompanied by a Roadmap which discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration. The Framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered on October 1, 2013. The overall core of the Framework is essentially unchanged from earlier drafts, also previously discussed on October 28, 2013.
While adoption of the Framework is voluntary, and incentives for adoption have not yet been fixed, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Framework. This program is intended to connect companies to DHS and other federal government programs and resources that will assist their efforts in managing their cybersecurity risks.
The increasing frequency of cyber attacks creates business risks that must be addressed by any prudent company. In a highly-publicized recent event, hackers stole about 40 million credit and debit card records and 70 million other records with personal customer data from the third-largest U.S. retailer, Target Corp. Industry watchers expect these attacks to increase. Although the Framework is voluntary in nature, it is likely to become best practices for what is considered commercially reasonable. Companies should be prepared to document and demonstrate that their cybersecurity practices are consistent with the practices promoted through the Framework. Failure to do so may expose an organization to costly litigation.
The NIST Roadmap provides that the Framework is a living document that will be regularly updated. This blog will cover these updates as they occur.