As noted earlier on this blog, President Obama issued a sweeping Cybersecurity Executive Order in February, which called for the development of a national cybersecurity framework to mitigate risks to federal agencies and critical infrastructure. On October 22, the National Institute of Standards and Technology (NIST) published a Preliminary Cybersecurity Framework, which is a revision to their Draft Cybersecurity Framework published in August. The preliminary framework is the result of a series of public workshops and input from more than 3,000 individuals and organizations on standards and best practices.
According to NIST Director Patrick Gallagher, the goal of the NIST framework is to “turn today’s best [security] practices into common practices,” and to create a set of security guidelines for businesses to protect themselves from evolving cybersecurity threats. Adoption of the NIST framework, however, would be voluntary for companies, since NIST is a non-regulatory agency within the Department of Commerce.
Despite the voluntary nature of the framework, it has received a fair measure of criticism from businesses concerned that these standards will increase negligence liability once regulatory agencies establish requirements based on these standards. It is likely that courts will rely—at least in part—on any such standards to help define what “reasonable” cybersecurity measures are.
This concern is not without merit. Courts have struggled with the definition of reasonable cyber security, and these struggles have taken on greater urgency as our questions about the vulnerability of the nation’s critical infrastructure and protections of private information arise. The principal problem with this question is the moving target that “reasonable security” presents to businesses and individuals. In order to address some of these questions, NIST has published standards such as the Security and Privacy Controls for Federal Information Systems and Organizations, the final revision of which was released in April. Other sources, such as the Uniform Commercial Code, also make attempts to address reasonable security, but their language is too often frustratingly vague.
In an effort to address some of these concerns, the preliminary framework has increased the flexibility of its standards, For example, NIST has removed use of the word “should” from the updated draft, and added a paragraph that gives organizations greater options in their security implementations:
Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.
On the other hand, privacy groups have objected to the framework’s lack of requirements, and have called for protections for civil liberties as well as a commitment to civilian control of cybersecurity. Advocacy groups have also questioned reports that the National Security Agency (NSA) has directed NIST to reduce key security standards. NIST has not yet commented on any NSA involvement in the development of the framework, but has initiated an internal audit to review its own method for guidance development.
On October 29, NIST opened a 45-day public comment period, with plans to release the final version of the framework in February 2014. NIST will also host a workshop to discuss the state of the framework at North Carolina State University on November 14th and 15th. While it is unlikely that every stakeholder group will be completely satisfied with the final version of the framework, a strengthening of the nation’s critical infrastructure in the form of mutually agreed-upon, reasonable standards will surely be welcome.