The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

NIST Updates Proposed National Cybersecurity Framework

Leave a comment

As noted earlier on this blog, President Obama issued a sweeping Cybersecurity Executive Order in February, which called for the development of a national cybersecurity framework to mitigate risks to federal agencies and critical infrastructure. On October 22, the National Institute of Standards and Technology (NIST) published a Preliminary Cybersecurity Framework, which is a revision to their Draft Cybersecurity Framework published in August. The preliminary framework is the result of a series of public workshops and input from more than 3,000 individuals and organizations on standards and best practices.

According to NIST Director Patrick Gallagher, the goal of the NIST framework is to “turn today’s best [security] practices into common practices,” and to create a set of security guidelines for businesses to protect themselves from evolving cybersecurity threats. Adoption of the NIST framework, however, would be voluntary for companies, since NIST is a non-regulatory agency within the Department of Commerce.

Despite the voluntary nature of the framework, it has received a fair measure of criticism from businesses concerned that these standards will increase negligence liability once regulatory agencies establish requirements based on these standards. It is likely that courts will rely—at least in part—on any such standards to help define what “reasonable” cybersecurity measures are.

This concern is not without merit. Courts have struggled with the definition of reasonable cyber security, and these struggles have taken on greater urgency as our questions about the vulnerability of the nation’s critical infrastructure and protections of private information arise. The principal problem with this question is the moving target that “reasonable security” presents to businesses and individuals. In order to address some of these questions, NIST has published standards such as the Security and Privacy Controls for Federal Information Systems and Organizations, the final revision of which was released in April. Other sources, such as the Uniform Commercial Code, also make attempts to address reasonable security, but their language is too often frustratingly vague.

In an effort to address some of these concerns, the preliminary framework has increased the flexibility of its standards, For example, NIST has removed use of the word “should” from the updated draft, and added a paragraph that gives organizations greater options in their security implementations:

Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.

On the other hand, privacy groups have objected to the framework’s lack of requirements, and have called for protections for civil liberties as well as a commitment to civilian control of cybersecurity. Advocacy groups have also questioned reports that the National Security Agency (NSA) has directed NIST to reduce key security standards. NIST has not yet commented on any NSA involvement in the development of the framework, but has initiated an internal audit to review its own method for guidance development.

On October 29, NIST opened a 45-day public comment period, with plans to release the final version of the framework in February 2014. NIST will also host a workshop to discuss the state of the framework at North Carolina State University on November 14th and 15th. While it is unlikely that every stakeholder group will be completely satisfied with the final version of the framework, a strengthening of the nation’s critical infrastructure in the form of mutually agreed-upon, reasonable standards will surely be welcome.

Advertisements

Author: Jeffrey L. Vagle

Jeffrey L. Vagle is an associate with Pepper Hamilton LLP, resident in the Philadelphia office. Mr. Vagle concentrates his practice on privacy, data security, Internet law, and technology-related matters.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s