A First Look at Obama’s Newly Released Cybersecurity Framework for Nation’s Critical Infrastructure

It took a year to put it together, but earlier this week, the White House released the final version of the Cybersecurity Framework, a set of standards for the companies that make up country’s “critical infrastructure.” It was a monumental effort, explain attorneys Jim Halpert, Ryan Sulkin, and Sydney White of DLA Piper:

“Over the course of the past year, [National Institute of Standards and Technology Framework (NIST)] has worked with critical infrastructure (CI) owners and operators, including public and private sector organizations, trade associations and other industry groups, other federal agencies including the Department of Homeland Security and state, local and tribal governments to develop a voluntary, risk-based framework to promote and enhance the security and resiliency of CI and to help organizations, regardless of industry sector or size, to manage cyber risk.  During the development of the Framework, NIST held workshops, requested comments and met with stakeholders in order to maximize private sector input to ensure the Framework reflects current industry sector standards, guidelines and best practices.”

Halpert, Sulkin, and White identify three early takeaways for the nation’s critical industries:

1. The Framework will continue to evolve:

“The Framework is version 1.0, and the Administration plans for subsequent versions to be updated and refined, although NIST will be handing off its role overseeing these changes to a yet to be determined private sector organization.  Prior to that time, this spring or summer, NIST plans to hold additional workshops on the Framework.  NIST officials have indicated that at least one workshop will address privacy and civil liberties, in an effort to foster the development of  privacy standards, which could be included in future versions of the Framework.”

2. It’s voluntary, but should quickly be adopted by the business community:

Administration speakers emphasized today that the Framework is intended to be voluntary and flexible.  Whether or not use of the Framework is later required by regulation in critical infrastructure sectors, we think it is likely that some modified version the Framework Core will make its way into commercial contracts for critical infrastructure and possibly other services, and that the plaintiffs’ bar will attempt to test the Framework as a standard of care for cybersecurity.

3. The Framework is designed help organizations protect their data and systems:

“The Framework is not intended to replace existing sector standards or to add an unnecessary layer on existing standards and practices.  Instead, it is designed to act as a roadmap for navigating how an organization can apply existing standards and practices in order to build a risk-based cybersecurity plan or improve an existing plan.”

Read the full update: Executive Branch acts on cybersecurity – what you need to know about this groundbreaking effort

Also read:

Related:

Read more on Cybersecurity at JD Supra Business Advisor>>