The Federal Financial Institutions Examination Council recently released an updated version of its Cybersecurity Assessment Tool, which, according to FFIEC, is designed to help the financial institutions voluntarily using the tool to “identify their cyber risks and determine their cybersecurity preparedness.” We explore the changes to the CAT in this post.
In the past month, the National Institute of Standards and Technology has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.
The Internet of Things continues to draw broad interest from policymakers and regulators around the globe. Following on the heels of a major distributed denial-of-service attack in October 2016 that leveraged potentially millions of compromised IoT devices, members of Congress have sent letters to US federal agencies regarding the risks posed by insecure IoT devices and held a hearing about what if anything should be the US federal response to such IoT-driven cyberattacks. Against that backdrop, in November 2016 two US federal agencies have issued guidance on securing IoT.
Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. Additional themes, which we outline in this post, also emerged.
The Federal Trade Commission recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity issued in 2014 by the National Institute of Standards and Technology and strongly endorsed by the White House. The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist. Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology, titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence, with participation by the Financial Services Information Sharing and Analysis Center and several private sector organizations.
The National Institute of Standards and Technology released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days.
Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.
On August 12, the National Institute of Standards and Technology published a Request for Information to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012.
Emerging technologies, such as cloud computing and the “smart city,” have the potential to greatly advance our quality of life. The use, retention, and storage of data that go along with them, however, have raised citizen concerns about privacy risks. The National Institute of Standards and Technology addresses these concerns in a new draft report titled Privacy Risk Management for Federal Information Systems, which was released on May 29, 2015. The report introduces NIST’s Privacy Risk Management Framework, which anticipates and addresses privacy risk resulting from the processing of personal information. NIST intends that the framework will lay the foundation for establishing a common vocabulary that facilitates better understanding of (and communication about) privacy risks and how to effectively implement privacy principles. Although the report is directed at federal systems, the principles outlined may be useful for any business that processes personal information. The NIST report focuses on the development of two key pillars of the PRMF: privacy engineering objectives and a Privacy Risk Model.
After the recent release of the discussion draft of its Framework for Cyber-Physical Systems, the National Institute for Standards and Technology has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.
The U.S. Federal Communications Commission’s Public Safety and Homeland Security Bureau has requested public input on a recent report on Cybersecurity Risk Management and Best Practices by the Communications Security, Reliability and Interoperability Council for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26.
On March 16, the U.S. Commerce Department’s Internet Policy Task Force published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.
This week, the National Institute of Standards and Technology released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.
On December 5, the National Institute of Standards and Technology issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity. Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. NIST’s update addresses industry input received from an October workshop and an August Request for Information. It also describes NIST’s plans to support future use of the Framework.
Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. The conference’s themes—which include risk analysis and risk management, information sharing, and upcoming OCR enforcement efforts—highlighted how HIPAA regulated entities should approach cybersecurity considerations and compliance with the HIPAA Security Rule.
Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.
This week, the National Institute of Standards and Technology convened the first face-to-face meeting of the cyber-physical systems public working group to develop and implement a new cybersecurity framework dedicated to cyber-physical systems, also known as the “Internet of Things.” Companies developing products and services involving CPS may consider participating in the CPS PWG, as participation in webinars and meetings is open and intended to be convenient. The group’s efforts may affect the legal landscape developing around CPS.
With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches. The “Framework for Improving Critical Infrastructure Cybersecurity” issued earlier this month by the National Institute for Standards and Technology provides a comprehensive menu of measures that can be used by organizations to address cybersecurity risk. In this alert, the Hogan Lovells Privacy Team describes this new resource and its implications for companies and suggest steps organizations can take now to assess whether to use it to manage cyber risk.
On February 12 at a White House event headlined by two Cabinet Secretaries, the President’s Chief of Staff, and three CEOs, the National Institute of Standards and Technology released version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity.” Likely to become a highly influential benchmark for assessing the reasonableness of corporate cybersecurity programs, the Framework was developed with input from hundreds of private sector, governmental, and other experts pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
At a November 14 workshop convened by the National Insitute for Standards and Technology, experts and leaders across government and industry voiced alarm at the vulnerability of computerized systems and devices to a rising tide of threats from sources as varied as nation-state actors, cybercrime rings, and political movements. This blog post discusses the conference, including remarks by Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson endorsing the consideration of privacy in cybersecurity efforts.
On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework.
On August 28, NIST released a discussion draft of the Preliminary Cybersecurity Framework that it is developing pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. NIST invites stakeholder review and input of this discussion draft, leading into the publication of the Preliminary Cybersecurity Framework on October 10 for formal public comment. The discussion draft follows on what has already been an active summer with respect to cybersecurity.