cyb505

D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T L A W

3

The NIST Cybersecurity

Framework: Overview and

Potential Impacts By Lei Shen

W ith the recent and increasing number of high- profile data breaches, businesses are becoming increasingly concerned about cybersecurity. Such data breaches have cost the affected companies

millions of dollars due to liability, lawsuits, reduced earnings, decreased consumer trust, and falling stock prices, while putting consumers at risk. Even though the recent attacks have targeted consumer data, such attacks may have even greater impact when targeted at the nation’s critical infrastructure. The White House acknowledged this when it issued Executive Order 13636,1 which required the National Institute of Standards and Technology (NIST), a non-regulatory agency of the Department of Commerce, to develop a “cybersecurity framework” to help regulators and indus- try participants identify and mitigate cyber risks that potentially could affect national and economic security.

To develop the framework and gain an under- standing of the current cybersecurity landscape, NIST consulted hundreds of security professionals in the industry. It held a number of workshops that were attended by many participants from the private sec- tor, and it reviewed numerous comments to the drafts of the proposed framework that it posted for review.2 More than 3,000 individuals and organizations con- tributed to the framework.3

On February 12, 2014, NIST released its final cybersecurity framework, titled “Framework for Improving Critical Infrastructure Cybersecurity” (hereinafter Framework).4 Through the collaborative public-private partnership, the resulting Framework adopts industry standards and best practices to provide a set of voluntary, risk-based measures that can be used by organizations to address their cybersecurity risk.

Although the goal of the Framework is to better protect critical infrastructure,5 such as banks and utili- ties, from cyber attacks, the Framework is a flexible and technology-neutral document that can be used by organizations of any size, sophistication level, or degree of cyber risk. Organizations can use the Framework as a guideline to assess their existing cybersecurity program or to build one from scratch, set goals for cybersecurity that are in sync with their business environment, pri- oritize opportunities for improvement, or establish a plan for improving or maintaining their cybersecurity.

The Framework also is a valuable tool to help executives understand their company’s security prac- tices. Executives may use the Framework to see how their company’s cybersecurity practices measure up to the Framework’s standards, understand where the company’s vulnerabilities lie, and determine if they are doing enough.

While the Framework is voluntary and may be criticized as being little more than a compilation of established industry security practices, the Framework nevertheless will likely become an influential bench- mark for assessing an organization’s cybersecurity. This article provides an overview of the NIST Framework and an analysis of its potential impact on businesses.

S U M M A RY O F N I S T

C Y B E R S E C U R I T Y F R A M E WO R K

The Framework is made up of three compo- nents: (1) the Framework Core, (2) Profiles, and

Lei Shen is a senior associate in the Privacy & Security and Business & Technology Sourcing practice groups at Mayer Brown in Chicago, IL. She focuses her practice on privacy and security, technology and business process outsourcing, and information technology transactions. Ms. Shen has passed the Certified Information Privacy Professional/United States (CIPP/US) certification exam offered by the International Association of Privacy Professionals (IAPP). She co-chairs the editorial team for both the Mayer Brown Privacy Post newsletter and the Mayer Brown Business & Technology Sourcing Review newsletter. Lei joined Mayer Brown in 2006.

J O U R N A L O F I N T E R N E T L A W D e c e m b e r 2 0 1 4

4

(3)  Tiers. Organizations can use these three compo- nents together to conduct a comprehensive review of their cybersecurity program.

FRAMEWORK CORE

The main component of the Framework is the Framework Core (hereinafter Core). The Core pres- ents a variety of cybersecurity-related activities and outcomes that can be found in a cybersecurity pro- gram, such as the performance of vulnerability scans and the detection of malicious code. The activities and outcomes are organized into five main groups or “Functions”: (1) Identify, (2) Protect, (3)  Detect, (4)  Respond, and (5) Recover. Each Function is divided into “Categories” and “Subcategories” of cyber- security activities and outcomes. Those Categories and Subcategories point to specific industry-accepted standards and guidelines (e.g., COBIT 5, ISO 27001) that provide more in-depth instruction on how to achieve each specific activity or outcome.

For example, if an organization is concerned about its incident response plan, it can look within the “Respond” Function. The Respond Function is divided into five Categories: (1) Response Planning, (2) Communications, (3) Analysis, (4) Mitigation, and (5) Improvements. Each of those Categories is broken down into various Subcategories of cybersecurity activ- ities. For example, the “Response Planning” Category has one Subcategory (i.e., “Response plan is executed during or after an event”), while the “Improvements” Category has two Subcategories (i.e., “Response plans incorporate lessons learned” and “Response strategies are updated”). Each of the Subcategories then refer- ences related resources, or “Informative References,” that are industry standards and guidelines that provide more detail on how to complete each activity.

An organization that uses the Framework need not include all of the Core activities in its cybersecu- rity program, but rather can choose only those activi- ties that are applicable to it.

PROFILES

The Framework Profiles (hereinafter Profiles), which can be used in conjunction with the Core, provide a summary of an organization’s cybersecurity

program and can be used to align an organization’s cybersecurity activities (such as those found within the Framework Core) with its business requirements, risk tolerances, and organizational resources. Organizations can perform a self-assessment to develop a “Current Profile” and a “Target Profile.” An organization’s “Current Profile” provides a view of the current state of its cybersecurity program (i.e., those elements of the Framework Core that it is currently achieving), while an organization’s “Target Profile” identifies a target or goal state (i.e., those elements of the Framework Core that it desires to achieve). After establishing its Current and Target Profiles, an organization can iden- tify gaps between the two and establish a road map for areas that the organization needs to strengthen in order to progress toward its target state. To allow for flexibility in implementation, the Framework does not provide a template for creating Profiles.

TIERS

The Implementation Tiers (Tiers), which are separate from the Core, may be used by organizations to self-rank their cybersecurity risk management practices. There are four Tiers available, ranging from Tier 1 (Partial) to Tier 4 (Adaptive). Each Tier refers to an increasing level of rigor and sophistication in an organization’s cybersecurity practices.

The lowest Tier is Tier 1 (Partial), which is char- acterized as an organization not having “formalized” risk management practices and having little aware- ness of cybersecurity risks. Tier 4 (Adaptive), on the other hand, describes organizations that can adapt “cybersecurity practices based on lessons learned and predictive indicators derived from previous and cur- rent cybersecurity activities,” are generally aware of cybersecurity risks, and have an organization-wide approach to managing such risks.

After organizations have identified where they stand in the four-Tier structure, they can deter- mine whether they should consider investing addi- tional resources to move to a more rigorous Tier. While organizations identified as Tier 1 (Partial) are encouraged to move toward a higher Tier, those organizations that already are higher Tiered may not need to move to a higher level. NIST cautions that progression to higher Tiers is encouraged when such a change is cost-effective and enhances cybersecurity.

D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T L A W

5

For example, it may not be cost-effective for a Tier 3 organization to become a Tier 4 organization if the increased protection it receives is relatively small compared to the cost to reach that additional level.

H OW TO U S E T H E F R A M E WO R K

NIST identifies four different ways that organiza- tions can use the Framework.

1. Basic Review of Cybersecurity Practices— Organizations can use the Framework to compare their current cybersecurity activities with those outlined in the Core to find out in which areas they are achieving the outcomes described in the Core and in which areas they may want to improve.

2. Establishing or Improving a Cybersecurity Program—The Framework lists steps that an organi- zation can follow (such as creating a Current Profile and creating a Target Profile) to create a new cyber- security program or to improve an existing one.

3. Communicating Cybersecurity Requirements with Stakeholders—Because the Framework establishes a common language to communicate cybersecurity requirements, an organization can use the Framework to communicate the organi- zation’s cybersecurity requirements to its various stakeholders (e.g., service providers).

4. Identifying Opportunities for New or Revised Informative References—Organizations also can use the Framework to identify opportunities to revise or create new standards, guidelines, or practices.

P OT E N T I A L I M PAC T O F

T H E   F R A M E WO R K

While the Framework is strictly voluntary and NIST has no enforcement authority, companies are encouraged to use the Framework because of its potential significant impact on a company’s cyberse- curity practices, as described below.

INCENTIVES

While there are currently no incentives set for using the Framework, the White House has released

a list of eight potential incentives that it is proposing to encourage adoption of the Framework.6 Examples of such incentives include risk-based pricing for cybersecurity insurance and liability limitations (such as limited indemnity or lower burdens of proof) for organizations that adopt the Framework. Some incentives, such as limiting liability or providing a safe harbor for companies that adopt the Framework, may require federal legislation, but others, such as the awarding of federal critical infrastructure grants, may make earlier adoption of the Framework very attrac- tive for some companies.

LEGISLATION

Congress and federal regulatory agencies may use the Framework as a basis for new legislation and regulations. Congress may also turn to legislation if it perceives that an insufficient number of organizations are voluntarily adopting the Framework and may make the Framework mandatory for critical infra- structure operators.

CONTRACTORS

As critical infrastructure companies begin adopt- ing the Framework standards, the companies will likely start requiring their suppliers to use and abide by the Framework as well. Likewise, those suppliers will in turn require their own providers to abide by the Framework. This domino effect could dramati- cally increase usage in many industries and result in industries where adoption of the Framework is required by default in order to land a contract. For example, the Department of Defense has published a report that recommends the government “institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions.”7

INSURANCE

The Framework’s standards may shape how insur- ance carriers view data breaches. Insurance carriers may begin using the Framework as a baseline standard or benchmark in insurance contracts and may start tying a company’s cybersecurity Profile to its insurance rates.

J O U R N A L O F I N T E R N E T L A W D e c e m b e r 2 0 1 4

6

LITIGATION

Without cybersecurity legislation in place, the Framework could effectively become the de facto standard for an organization’s cybersecurity efforts. Litigants, such as class action plaintiffs and even shareholders, may start using the Framework’s stan- dards as a reasonableness measure in cybersecurity litigation, and may assert that the Framework estab- lishes a standard of care that companies are obligated to follow. In light of the US Security and Exchange Commission’s (SEC) increasing emphasis on the appropriate disclosure of cyber risks, plaintiffs may bring securities class action litigation alleging material omissions or misrepresentations of a company’s cyber risks based on the Framework. Enforcement actions by state attorneys general and regulators, such as the SEC and the Federal Trade Commission (FTC), may rely on a similar argument. In FTC v. Wyndham Worldwide Corporation, for example, counsel for Wyndham already have cited the Framework as a potential guide as to what constitutes reasonable data security.

On the other hand, organizations at risk for cyber attacks may use their compliance with the Framework as a defense against litigation related to a data breach or other cyber incidents. In addition, proper attention to cybersecurity risk-factor disclosures may decrease the likelihood of a company facing securities class action litigation.

While the Framework was not intended to be used as a prescriptive standard, organizations should be aware that the Framework may very well end up being used as such.

F U T U R E O F T H E F R A M E WO R K

The Framework is likely to evolve as cybersecu- rity threats and standards evolve. NIST has said that the Framework is not intended to be a static document but rather a “living document.” It named the version of the released Framework as “version 1.0” and issued a supplementary roadmap for future developments and recommendations. Such updates will help the Framework keep pace with changes in technology and threats, incorporate lessons learned from its use, and ensure that the standards address the needs of various sectors in a dynamic and challenging environment.

C O N C L U S I O N

The Framework is not intended to replace a company’s existing cybersecurity practices or to estab- lish prescriptive standards. Rather, the Framework provides a tool for organizations to use to assess themselves and to use as a baseline to measure their cybersecurity programs. It is a reference point for objective evaluations of an organization’s cyberse- curity programs and for identifying potential gaps in those programs.

In view of some recent high-profile data breaches and the pervasiveness of cybersecurity incidents in general, companies should pay close attention to the NIST Framework. While the Framework will not be a panacea for security issues, it has the potential to have a significant impact in many industries, not just those industries that are related to critical infrastructure.

N OT E S

1. Exec. Order No. 13636, Improving Critical Infrastructure Cybersecurity (Feb. 19, 2013), available at http://www.gpo.gov/ fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.

2. Prior drafts of the NIST Cybersecurity Framework are available at http://www.nist.gov/cyberframework/cybersecurity-framework- archived-documents.cfm.

3. “NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments,” NIST.GOV (Oct. 22, 2013), available at http:// www.nist.gov/itl/cybersecurity-102213.cfm. (“Through a request for information and a series of workshops held throughout 2013, NIST engaged with more than 3,000 individuals and organiza- tions on standards, best practices and guidelines that can provide businesses, their suppliers, their customers, and government agencies with a shared set of expected protections for critical information and IT infrastructure.”)

4. NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, NIST.GOV (Feb. 12, 2014), avail- able at http://www.nist.gov/cyberframework/upload/cybersecurity- framework-021214.pdf.

5. The Executive Order defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, national public health or safety, or any combi- nation of those matters.”

6. Michael Daniel, “Incentives to Support Adoption of the Cybersecurity Framework,” The White House Blog (Aug. 6, 2013), http://www.whitehouse.gov/blog/2013/08/06/ incentives-support-adoption-cybersecurity-framework.

7. Department of Defense and General Services Administration, “Improving Cybersecurity and Resilience through Acquisition,” Department of Defense (Nov. 2013), available at http://www. defense.gov/news/Improving-Cybersecurity-and-Resilience-Through- Acquisition.pdf.

Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.