On February 12 at a White House event headlined by two Cabinet Secretaries, the President’s Chief of Staff, and three CEOs, the National Institute of Standards and Technology (NIST) released version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity” (Framework). Likely to become a highly influential benchmark for assessing the reasonableness of corporate cybersecurity programs, the Framework was developed with input from hundreds of private sector, governmental, and other experts pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
NIST also released a companion Roadmap for Improving Critical Infrastructure Cybersecurity, which describes the agency’s plan to maintain the Framework as a “living document” as well as “key areas of development, alignment, and collaboration” such as a “privacy engineering” workshop NIST will hold in the second quarter of 2014.
President Obama issued a statement hailing the Framework’s release, stating that the “voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge,” but noting that “much more work needs to be done to enhance our cybersecurity.” Also in parallel the Department of Homeland of Security (DHS) announced a new private-public initiative: the Critical Infrastructure Cyber Community C3 (pronounced “C Cubed”) Voluntary Program.
The Framework includes significant changes from the preliminary version released in October 2013, most notably with regard to how the privacy methodology is presented.
A significant change in the final version of the Framework involves revisions to the privacy methodology. The preliminary version of the Framework included a separate appendix presenting a privacy methodology mapped to every cybersecurity function and category identified in the Framework Core, with informative references largely to NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” In the final version of the Framework, NIST largely adopted an industry consensus alternative (originally put forward by Hogan Lovells) to its proposed privacy methodology, and shifted this cybersecurity-focused privacy guidance to the “How to Use” section of the Framework.
Significantly, the final Framework recognizes that “not all activities in a cybersecurity program may give rise to” privacy considerations. The privacy methodology discusses the privacy considerations potentially arising from cybersecurity activities and identifies the associated policy and process measures and controls that entities using the Framework can incorporate into their cybersecurity programs to address such considerations, namely in their approach to cybersecurity governance; access controls; awareness and training; anomalous activity detection and monitoring; and response activities including information-sharing. The Framework also recognizes that it is the role of government or agents of government, and not the private sector, to address any civil liberties implications of cybersecurity activities.
Unlike the preliminary version, the final version of the Framework does not define “personal information” or “personally identifiable information.” Organizations that plan to use the Framework and its privacy methodology will thus be able in the first instance to apply the definition of that key term that best reflects their particular sector or activity. The preliminary version’s Framework Core also contained a specific Subcategory regarding protection of personal information, which has been removed in the final version of the Framework in recognition that organizational data security programs to be effective must take a unified approach to the assessment, prioritization, and management of risks to multiple types of data, from business secrets to personal information and beyond.
While the Framework Core retains the same structure as existed in the preliminary version, with cybersecurity activities divided into Functions, Categories, and Subcategories, NIST made several revisions to the Categories and Subcategories contained within each of the five Functions.
Significantly, the final version of the Framework includes new cybersecurity activities:
- PR.IP-12 (Protect, Information Protection Processes and Procedures): “A vulnerability management plan is developed and implemented.”
- RS.MI-3 (Respond, Mitigation): “Newly identified vulnerabilities are mitigated or documented as accepted risks.”
- RC.CO-3 (Recover, Communications): “Recovery activities are communicated to internal stakeholders and executive and management teams.”
The Framework’s guide to “Establishing or Improving a Cybersecurity Program” largely remains the same, but NIST has added language on risk analysis and management. The final version of the Framework also adds an orientation step in which, after setting the scope of the cybersecurity program, an organization “identifies related systems and assets, regulatory requirements, and overall risk approach” and “threats to, and vulnerabilities of, those systems and assets.”
The Framework Implementation Tiers remain largely unchanged, but NIST has added clarifying text that “while organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 2 or greater, Tiers do not represent maturity levels” and that “successful implementation of the Framework is based upon achievement of the outcomes described in the organization’s Target Profile(s) and not upon Tier determination.”
New “C-Cubed” Program and Incentives
Alongside release of the Framework, DHS also formally launched a new effort to encourage and support Framework adoption: the Critical Infrastructure Cyber Community (C3) Voluntary Program. DHS established a new US-CERT website for the rebranded initiative, which seeks to create a one-stop shop for all critical infrastructure owners and operators (and other interested companies and groups) seeking to improve their cybersecurity programs and considering use of the Framework. The C3 Voluntary Program will focus on supporting use of the Framework, developing general and sector-specific guidance regarding the Framework, engaging in outreach and communications, and collecting feedback on the Framework.
The administration has not yet finalized its plan to further provide incentives for Framework adoption. The Executive Order called for various agencies to submit proposals regarding potential incentives, and in August 2013 the White House released a statement regarding the incentives proposals under consideration. Administration officials indicated at the event announcing the Framework’s release that such proposals will be shared publicly over the next few months. White House Cybersecurity Coordinator Michael Daniel also noted that market-based incentives will be the important drivers of Framework use, a view that was shared by the CEOs of AT&T, Lockheed Martin, and Pepco who joined Commerce Secretary Pritzker on stage at the Framework launch event and who also emphasized the importance of companies addressing vendor security and of Congress adopting protective cybersecurity legislation.
An array of domestic and international outreach is planned by NIST and other parts of the federal government to promote the Framework and gain feedback.
U.S. regulatory agencies with responsibility for regulating critical infrastructure security will maintain their focus on cybersecurity as they are required by the Executive Order to determine and indicate by May 2014 whether their current regulatory powers are sufficient to address cybersecurity risks in their sectors. If they are not, they must propose “prioritized, risk-based, efficient, and coordinated actions” to mitigate cyber risks.
The President’s statement issued today included a renewed call for “Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties.” Congress has been actively considering numerous cybersecurity-related bills this year. Most recently, the House Homeland Security Committee passed the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (H.R. 3696) (NCCIP Act). This bipartisan bill is aimed at preventing cyber attacks on the nation’s critical infrastructure, fostering public-private collaboration on cybersecurity, amending the SAFETY Act, and increasing the DHS cybersecurity workforce.
As soberly described today by White House Chief of Staff Denis McDonough, cyber threats are one of the few systemic risks that the United States still faces and thus wide-ranging efforts are required. The issuance of the Cybersecurity Framework is a significant milestone in this respect and will likely have influence in corporate boardrooms and operations in the United States and beyond, but by no means will it be the only significant development of 2014 in this area.