In the past month, the National Institute of Standards and Technology has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.
The U.S. Federal Communications Commission’s Public Safety and Homeland Security Bureau has requested public input on a recent report on Cybersecurity Risk Management and Best Practices by the Communications Security, Reliability and Interoperability Council for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26.
On March 16, the U.S. Commerce Department’s Internet Policy Task Force published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.
On December 5, the National Institute of Standards and Technology issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity. Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. NIST’s update addresses industry input received from an October workshop and an August Request for Information. It also describes NIST’s plans to support future use of the Framework.
The medical internet of things is coming. That was the common recognition of participants at a two-day public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” co-sponsored by the Food and Drug Administration, Department of Health and Human Services, and the Department of Homeland Security. The workshop comes during a busy month for medical device cybersecurity, with the FDA issuing final guidance earlier this month and DHS indicating that it is reviewing dozens of potential cybersecurity vulnerabilities in medical devices.
Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. The conference’s themes—which include risk analysis and risk management, information sharing, and upcoming OCR enforcement efforts—highlighted how HIPAA regulated entities should approach cybersecurity considerations and compliance with the HIPAA Security Rule.
Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.
On February 12 at a White House event headlined by two Cabinet Secretaries, the President’s Chief of Staff, and three CEOs, the National Institute of Standards and Technology released version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity.” Likely to become a highly influential benchmark for assessing the reasonableness of corporate cybersecurity programs, the Framework was developed with input from hundreds of private sector, governmental, and other experts pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework.
On August 28, NIST released a discussion draft of the Preliminary Cybersecurity Framework that it is developing pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. NIST invites stakeholder review and input of this discussion draft, leading into the publication of the Preliminary Cybersecurity Framework on October 10 for formal public comment. The discussion draft follows on what has already been an active summer with respect to cybersecurity.
In the past week, both the White House and Senate have taken some notable steps on cybersecurity. Both sets of developments largely relate to the Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST) pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
Development of the new Cybersecurity Framework is now in full swing. President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity (which we previously covered) calls on NIST to lead the development of a Cybersecurity Framework that will provide “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address […]