Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices—or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part three provided tips for increasing the chances that cybersecurity work product would be covered by the attorney-client privilege or work product doctrine.
In part four of this series, we look at what the NIST Framework really is, and why you should care about it.
Any discussion about implementing a companywide cybersecurity program should include the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.
Known as the “NIST Framework,” the 39-page document was released in February 2014. Drawing on existing industry standards and guidelines, NIST established a framework for companies to approach their cybersecurity programs.
Bottom line: even though the NIST Framework is entirely voluntary, companies have a number of legal and operational reasons to incorporate it into the heart of their cybersecurity programs.
First thing’s first: what is the NIST Framework? It's a set of principles that divides cybersecurity into five general functions:
- Identify: Understand the organization’s cybersecurity risks.
- Protect: Ensure that the necessary cybersecurity safeguards are in place.
- Detect: Continuously monitor systems and networks to become aware of cybersecurity incidents.
- Respond: Build a cybersecurity incident response program.
- Recover: Develop a plan for restoring networks and systems after a cybersecurity incident.
Rather than require specific technological solutions, the NIST Framework provides general standards for organizations to adopt when assessing their cybersecurity risks and building risk management programs. Each function contains a number of categories and subcategories, and refers readers to portions of specific industry standards, such as ISO 27001.
Although the NIST Framework is intended for “critical infrastructure,” the term is broadly defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Under this definition, many companies – ranging from communications providers to manufacturers – could qualify as operators of critical infrastructure.
From a legal perspective, adopting the NIST framework helps reduce litigation risk. If a company were to experience a data breach (and most companies, at some point will), and was later sued by a customer or a state regulator, adoption of the NIST framework would be strong evidence that it exercised reasonable care and should not be held liable for damages.
NIST states that this risk management framework is intended “to enable organizations to inform and prioritize decisions regarding cybersecurity.” Moreover, not a single organization is required by law or regulation to adopt the NIST Framework.
Then why should a company adopt the framework? Most importantly, it helps a company improve its cybersecurity. NIST’s staff sifted through dozens of highly complex industry standards and distilled it into principles for businesses across a wide range of sectors to implement. In comments to NIST in January, attorney Paul A. Ferrillo of Weil, Gotshal, & Manges stated that he was “stunned” by the framework’s “elegant simplicity in an area which is far from intuitive.”
From a legal perspective, adopting the NIST framework helps reduce litigation risk. If a company were to experience a data breach (and most companies, at some point will), and was later sued by a customer or a state regulator, adoption of the NIST framework would be strong evidence that it exercised reasonable care and should not be held liable for damages. That is because the framework is the product of extensive deliberation among the executive and legislative branches.
In other words, the framework was created at the behest of the president, and within a year was codified into a statute by Congress. No other U.S. cybersecurity standard has received such strong support from policymakers.
In a 2013 executive order, President Barack Obama directed NIST to develop the framework, stating that the document should “include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” A year later, in the Cybersecurity Enhancement Act of 2014, Congress required NIST to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.”
In other words, the framework was created at the behest of the president, and within a year was codified into a statute by Congress. No other U.S. cybersecurity standard has received such strong support from policymakers.
Moreover, last October, the federal Office of Management and Budget began requiring federal agencies to adopt the NIST Framework. And a number of states also have adopted the NIST Framework for their operations. When Virginia adopted the framework in 2014, Gov. Terry McAullife stated that the move “will strengthen the Commonwealth’s ability to fight cyber crime and further enhance Virginia’s position as a leader in cybersecurity.”
In addition to helping companies reduce their litigation risk, adoption of the framework is increasingly required in business-to-business contracts. And some insurers, when evaluating companies for cybersecurity insurance, are beginning to assess whether companies have incorporated the framework into their operations.
In short, although the NIST framework is entirely voluntary, companies would be wise to pay careful attention to the five elements, and determine how they can incorporate them into their daily operations. The framework is quickly becoming the de facto standard for thinking about how we approach cybersecurity, and that is a good thing.