On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways. The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure. Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory. In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures. The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements.
This second version of the Framework (“Version 1.1”) comes over three years after the publication of the initial version that was published on February 12, 2014 (“Version 1.0”). Version 1.1 is intended to provide clarifications in response to stakeholder comments to Version 1.0. It generally reflects NIST’s improved and more nuanced understanding of the cybersecurity landscape, containing revisions throughout the Framework that enhance both language and approach, including with respect to cybersecurity measurements, the role of measurements in self-assessment and the use of the Framework to manage cybersecurity within supply chains. Further, it refines language relating to authorization, authentication and identity proofing practices (which were not as thoroughly addressed in Version 1.0) and introduces a distinction between treatment of “Cybersecurity Events” (i.e., a cybersecurity change that may have an impact on organizational operations) versus “Cybersecurity Incidents” (i.e., a cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery). Version 1.1 also reflects NIST’s acknowledgment of the emergence of new technological developments, including connected devices like the Internet of Things within the scope of its guidance. In addition to Version 1.1, NIST also published a draft update to the Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”), a companion document to the Framework, the prior version of which was published concurrently with Version 1.0. The Roadmap describes plans for advancing the Framework development process, discusses next steps and identifies key areas of development, alignment and collaboration. The full text of Version 1.1 can be accessed here. The full text of Version 1.1 of the Roadmap can be accessed here.
Although the Framework was originally established to improve cybersecurity risk management in “critical infrastructure” (defined in the Executive Order as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”), given its high-level, standards-based content, there is potential broader applicability of the updated Framework as a tool for all companies. The introduction of Version 1.1 specifically indicates that “it can be used by organizations in any sector of the economy or society” and is “intended to be useful to companies, government agencies, and not-for-profits, regardless of their focus or size.” Thus, companies that are not already subject to binding cybersecurity regulations specific to their sector would be remiss in not consulting the Framework for assessing their own risks and developing and maintaining organizational cyber protections accordingly. Additionally, the Framework may also be indicative of, or have an influence on, future regulatory priorities. Notably, principles taken from Version 1.0 were incorporated into the federal banking agencies’ Cybersecurity Assessment Tool.
NIST invites public comment on Version 1.1 until Friday, January 19, 2018, with a view to finalizing it in Spring 2018.