Privacy and Business Needs Are Focus of Latest NIST Cybersecurity Framework

“[G]iven the tremendous increase in hacking, cybercrime, and potential liability for cyber incidents, every private organization has ample incentive to analyze its existing cybersecurity practices and risks, and identify steps for potential reduction of that risk, whether through the Framework or otherwise.” (Daniel Reing and Bob Scott of Davis Wright Tremaine)

Late last month, the National Institute of Standards and Technology (NIST) published the latest version of the country’s cybersecurity framework. The background, from attorneys at Skadden Arps:

“The Preliminary Framework represents the first full draft of the Cybersecurity Framework that President Obama ordered NIST to develop in his February 12, 2013, executive order addressing the regulation of critical infrastructure network security. […] While the Preliminary Framework does not propose new cybersecurity standards, the executive order mandates that agencies use the Framework (once it is finalized) as the basis for reviewing critical infrastructure cybersecurity within regulated sectors. The executive order also asks those agencies to consider whether they have the legislative authority to enact any regulations that might be required. As a result, companies in regulated critical infrastructure industries should understand the basic contours of the Preliminary Framework.”

But the framework is intended to all business protect their data and systems from hacks, cyber attacks, and security breaches, writes attorney Pedro Pavon of Carlton Fields:

“The … Framework outlines steps that can be customized to various sectors and adapted by large and small organizations while providing a consistent approach to cybersecurity across industries. It is intended to provide a common ‘language’ and platform for organizations to determine and describe their cybersecurity posture as well as evaluate risk and develop a strategy to address gaps and identify weaknesses.”

Here’s a look at three key takeaways from the Framework:

1.       Privacy and civil liberties moved to the forefront:

“The Preliminary Framework … adds more detail to the last draft’s ‘Methodology to Protect Privacy and Civil Liberties.’ Specifically, Appendix B of the Preliminary Draft has been updated to add detailed standards that address privacy concerns as organizations implement the Core Framework categories. The added standards cover functions such as taking inventory of personal data, privacy training for organizations, transparency, notice, and data minimization practices.” (Daniel Reing and Bob Scott at Davis Wright Tremaine)

2.       Increased consideration of business needs:

“The recent publication has increased emphasis on ‘factoring in other business needs including cost-effectiveness and innovation.’ This emphasis is reflected in the Framework core as well. Where in earlier versions, specific steps were defined for each Framework category and subcategory (e.g., ‘Protect remote access to organization networks to include telework guidance, mobile devices access restrictions, and cloud computing policies/procedures’); the current version allows an organization more flexibility in claiming that it has achieved the subcategory (e.g., ‘Remote access is managed’). Whether this increased flexibility in describing an organization’s achievement of a Framework core goal enhances or diminishes the effectiveness of the Framework is likely to be the subject of many formal comments.” (Jonathan Cain at Mintz Levin)

3.       New focus on industrial control systems:

“… the Preliminary Framework clarifies that critical infrastructure operators should employ the Framework not only to address information technology security, but also industrial control system (ICS) security. Companies in critical infrastructure sectors that use ICSs, including energy, nuclear services and transportation, should be aware of the potential for new regulation of those systems.” (Skadden Arps)

The updates:

Read more on the Cybersecurity Framework at JD Supra Law News>>