On February 12, 2014, the National Institute of Standards and Technology released the Framework for Improving Critical Infrastructure Cybersecurity. The Framework is intended to act as a set of industry standards and best practices for managing cybersecurity risks and was envisioned in the Executive Order issued by the President in February of 2013. By its terms, the Framework is to apply to businesses which are part of the country’s critical infrastructure sector. However, it is not completely clear what types of businesses make up the “critical infrastructure” sector. Mentioned among these critical infrastructure sectors are communications, critical manufacturing, energy, finance health care and information technology, although the Framework arguably provides best practices standards for all. Compliance with the Framework is voluntary.
The Framework, however, is just that and is not “one-size-fits-all,” but a guidebook for determining risks and risk tolerance in individual organizations. In addition, the Framework is expected to be updated – the recently released document is version 1.0.
The Framework Core presents a framework for outcomes and is not a checklist. It is akin to project management analysis. The five functions to organize cybersecurity activities are:
- Identify – develop an understanding of how the data flow and storage work in the organization to manage and analyze risk to systems, data, assets and capabilities.
- Protect – – develop and implement safeguards to help limit or contain the impact of a cybersecurity event, including requiring security and standards from vendors.
- Detect – develop and implement procedures and controls to identify a cybersecurity event, including requiring vendors to detect and expeditiously notify stakeholders if they experience a cybersecurity event.
- Respond – prepare and have a plan and procedures in place to take action in the event of a cybersecurity event.
- Recover – have a plan in place to restore any capabilities impaired due to a cybersecurity event to reduce the impact.
The Framework provides a structure of analysis for plans and activities that, if followed in a meaningful way (and the steps taken documented), would go a long way to show reasonable security and procedures are in place and could, in fact, limit consequences of a breach. Likely no one is immune to data breaches – compliance with policies and plans determined using the Framework analysis could mitigate losses and damages in the event of lawsuit arising out of a cybersecurity event. Also, apparently coming later are government provided incentives to promote participation in the Framework and related programs. The incentives are contemplated in the Executive Order, but are not yet established. Possible types of incentives which have been mentioned include cybersecurity insurance grants, liability limitation, streamlined regulation and public recognition.
The other side of the coin is that failure to follow the Framework analysis could result in a determination that the procedures in place do not rise to the commercially reasonable standard likely resulting in additional liability.
Last, be aware that public assertions or advertising concerning adoption or use of the Framework must be accurate. The Federal Trade Commission (FTC) has taken an interest in cybersecurity and data protection and has brought numerous actions against companies claiming compliance with the European Union Safe Harbor for data transfer alleging these companies were not actually in compliance with the terms of the safe harbor.
In any event, use of the Framework to determine risks and put policies and plans in place may be a prudent course and save expenses later.