NIST Cybersecurity Framework: Don’t Underestimate It

A cybersecurity framework for critical infrastructure owners is voluntary but will become the <i>de facto</i> standard for litigators and regulators. Here's how to prepare.

Gerald Ferguson, Partner, BakerHostetler LLP

December 9, 2013

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Any company that is managing critical infrastructure in the US and disregards the Preliminary Cybersecurity Framework, issued by the National Institute of Standards and Technology (NIST) in late October, does so at its own peril. The framework, which is now in its final comment stage and due to be released in mid-February, lays out a set of comprehensive but voluntary cybersecurity practices.

However, critical infrastructure owners need to recognize that, if a company's cybersecurity practices are ever questioned during a regulatory investigation and litigation, the baseline for what's considered commercially reasonable is likely to become the NIST Cybersecurity Framework.

The Department of Homeland Security defines critical infrastructure companies broadly to include banking and finance, communications, critical manufacturing, the defense industrial base, energy, emergency services, food and agriculture, healthcare, information technology, utilities, and transportation systems. These companies should be prepared to document and demonstrate that their cybersecurity practices are consistent with the practices promoted through the NIST framework.

The framework was issued at the direction of the White House in February under Executive Order 13636. The order tasked the NIST to develop a "set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks."

[ Want more background on the NIST Cybersecurity Framework? Read NIST Releases Preliminary Cybersecurity Framework. ]

The NIST has conducted four cybersecurity workshops, and it consulted with more than 3,000 individuals and organizations on best-practices for securing IT infrastructure prior to releasing the framework. That level of consultation in creating the framework -- and the broad industry input -- support the notion that the framework will be recognized as an industry standard.

There are no surprises in the framework, since it represents a summary of best-practices. It provides companies with standardized criteria for analyzing and mitigating risks. Those risks are organized around five core activities that a company's management and IT security teams routinely must perform when dealing with security risks: identify, protect, detect, respond, and recover. For each of these activities, the framework sets out a number of methods, practices, and strategies it recommends for effectively minimizing cyberrisk.

The NIST framework also establishes four implementation tiers, which describe how extensively a company might manage its cybersecurity risks. The higher the tier, the more advanced a company's risk management procedures become.

Critical infrastructure companies defending their cybersecurity practices in litigation or regulatory investigations should be prepared to show that the practices adhere to Tier 4, considered "adaptive," meaning a company is regularly evaluating the threats it faces, testing its procedures, and modifying these procedures where appropriate to address new threats.

The framework also highlights why it is important for senior management to establish and supervise a cybersecurity program. The framework places senior management at the top of the decision-making process and holds senior managers responsible for compliance with the framework. Although senior managers without a technical background might be tempted to defer responsibility to their IT departments, complying with the framework requires them to be educated about the choices their company faces and to take responsibility for allocating appropriate resources to address risks.

Ultimately, the NIST framework seeks to establish a common vocabulary for companies to discuss and evaluate one another's cybersecurity practices. If the framework is used as an industry standard in a legal proceeding, it won't be enough for a company to have engaged in practices similar to those described in the framework. It must be able to document its compliance with the framework in the language of the framework.

There are additional benefits companies might want to consider. The Obama administration is considering certain incentives to promote the framework and spur its adoption. Those incentives might include cybersecurity insurance, rate recovery, process preference, and grants for adopters.

In preparation for potential recognition of the framework as an industry standard for critical infrastructure companies, these companies should consider doing the following.

  1. Revise security policy documents to adopt and reflect the language and vocabulary of the framework.

  2. Establish regular procedures for identifying new threats, testing security procedures, and updating procedures to address those threats, thereby establishing an adaptive cybersecurity program.

  3. Ensure that senior management is active in establishing a cybersecurity strategy for the company and reviewing the implementation of that strategy.

Foolproof cybersecurity protection does not exist. But by taking these steps, a critical infrastructure company will be well positioned to defend its practices as meeting industry standards when things go wrong.

Gerald Ferguson serves as the coordinator for the Intellectual Property, Technology, and Media Group in BakerHostetler's New York office and as the mational co-leader of its Privacy and Data Protection Team.

0pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, Choosing, Managing, And Evaluating A Penetration Testing Service, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk (free registration required).

About the Author

Gerald Ferguson

Partner, BakerHostetler LLP

Gerald (Jerry) Ferguson serves as the Coordinator for the Intellectual Property, Technology, and Media Group in BakerHostetler's New York office and as the National Co-Leader of BakerHostetler's Privacy and Data Protection Team.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights