NIST Unveils Preliminary Cybersecurity Framework



Similar documents
SEC Staff Addresses Third-Party Endorsements of Investment Advisers on Social Media Websites

Removal of Credit Ratings References

DOE Announces Fundamental Shift in LNG Export Authorization Policy

Environment, Health And Safety. Ensuring Your Company s European Operations are Compliant with New EU Regulations and Enforcement Measures

Launch of Mutual Recognition of Funds Between Mainland China and Hong Kong

How Can the Automotive Industry Strengthen Its Regulatory Compliance Process and Reduce Its Compliance Risks?

Italian Tax Reform. New legislation on abuse of law and statute of limitations. Abuse of law and tax avoidance. Introduction

Payday Loans Under Attack: The CFPB's New Rule Could Dramatically Affect High-Cost, Short-Term Lending

Regulatory Implications of New Products and Services in the Australian Electricity Market

Health Care Entities Get Clarity from FCC on Telephone Communications

Five Takeaways from the First Cyber Insurance Case

2014 Amendments Affecting Delaware Alternative Entities and the Contractual Statute of Limitations

How To Allow Sports Wagering In New Jersey

NIST Cybersecurity Framework What It Means for Energy Companies

Ninth Circuit Opinion May Open Litigation Doors Most Thought Closed

ESTABLISHING A BUSINESS PRESENCE IN DUBAI

The Limited Liability Company and the Bankruptcy Code

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework: Current Status and Next Steps

How To Understand And Manage Cybersecurity Risk

The NIST Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Finance Alert. New Rules on Short Selling and Derivative Transactions in Germany. Introduction. Prohibition of Short Selling

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Billing Code: 3510-EA

Cyber Risks in the Boardroom

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Framework for Improving Critical Infrastructure Cybersecurity

No. 33 February 19, The President

Insurance Coverage for Cyber Attacks

Assignee Liability Is Extended by Massachusetts: Will Others Follow Suit?

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

K&L Gates Insurance Coverage Practice

The Data Center of the Future: Creating New Jobs in Europe

Change Management Implementation

Financial services regulation in Australia

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015


Why you should adopt the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Global Real Estate Outlook

NIST Cybersecurity Framework. ARC World Industry Forum 2014

FSOC Proposes Rules for Board of Governors of the Federal Reserve s Supervision of Nonbank Financial Companies. October 20, 2011

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Why you should adopt the NIST Cybersecurity Framework

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Marketing and Branding in Recruitment. Robert Wegenek Squire Patton Boggs (UK) LLP

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

DHL Global Energy Conference 2015 Outsourcing logistics Enhancing innovation or increasing risk?

Building Security In:

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Coaching Executives: Building Emotional Intelligence

CRITICAL THINKING AT THE CRITICAL TIME CONSTRUCTION SOLUTIONS

IT Audit Services. Ensuring the Right Systems and Controls Are in Place to Manage Risks Created by New Technologies

CONCEPTS IN CYBER SECURITY

Defining and Managing Reputation Risk

Connecting to Remote Desktop Services on an ipad

Opportunities for Action. Shared Services in Operations and IT: Additional Complexity or Real Synergies?

PROTIVITI FLASH REPORT

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Transcription:

November 25, 2013 Practice Group: Cyber Law and Cybersecurity NIST Unveils Preliminary Cybersecurity Framework By Roberta D. Anderson On October 22, the National Institute of Standards and Technology (NIST) released its longanticipated Preliminary Cybersecurity Framework 1 for public review and comment. The Cybersecurity Framework was issued in accordance with President Obama s February 19 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, 2 which tasked NIST with developing a Cybersecurity Framework to reduce cyber risks to critical infrastructure. 3 The Executive Order states that the Cybersecurity Framework must provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. 4 Critical infrastructure organizations include those in the chemical, communications, critical manufacturing, defense, financial services, energy, healthcare, and information technology sectors, among others. 5 As stated in the Executive Order, [t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. 6 NIST developed the Cybersecurity Framework based on information gathered over the past six months, including a Request for Information published in the Federal Register 7 and a series of four open public workshops held at various locations throughout the United States. A key objective of the Cybersecurity Framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, safety, and operational risk. 8 At a very high level, as its name indicates, the Cybersecurity Framework provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed in order to progress towards a desired target state of cybersecurity risk management, and to internally and externally communicate efficiently about cybersecurity and risk management. In releasing the Cybersecurity Framework, NIST explained that it offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity and will help them to identify and prioritize opportunities for improvement within the context of risk 1 The Cybersecurity Framework is available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf. 2 78 FED. REG. 11737 (2013). The Executive Order is available at http://www.gpo.gov/fdsys/pkg/fr-2013-02-19/pdf/2013-03915.pdf. 3 Executive Order, Section 7(a). 4 Id., Section 7(b). Critical infrastructure as used in the Executive Order means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Id. Section 2. This is the meaning given to the term in the Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e). 5 Presidential Policy Directive/PPD 21, Critical Infrastructure Security and Resilience, (Feb. 12, 2013), available at http://www.fas.org/irp/offdocs/ppd/index.html (reference PPD 21 ), identifies 16 critical infrastructure sectors. See id. at 10-11. 6 Executive Order, Section 1. 7 78 FED. REG. 13024 (2013). The Request for Information is available at http://www.gpo.gov/fdsys/pkg/fr-2013-02- 26/pdf/2013-04413.pdf. 8 Cybersecurity Framework, at 1.

management and to assess progress toward their goals. 9 Although applying to organizations in critical infrastructure, the Cybersecurity Framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk. Three-Part Approach The Cybersecurity Framework adopts a risk-based approach composed of three parts: the Framework Core, Framework Profile, and Framework Implementation Tiers. 10 The Framework Core The Framework Core is a set of cybersecurity activities that are common across critical infrastructure sectors. It consists of five high-level Functions, which, as stated by NIST, organize basic cybersecurity activities at their highest level. 11 The five Functions are: (1) Identify, 12 (2) Protect, 13 (3) Detect, 14 (4) Respond, 15 and (5) Recover. 16 NIST explains that these Functions will provide a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines, and practices. 17 For each of the five Functions, the Framework Core identifies underlying key Categories and Subcategories, and then matches them with Informative References, such as existing cybersecurity standards, guidelines, and practices. By way of example, Categories within the Protect Function include Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. 18 Subcategories under the Access Control Category within the Protect Function include (but are not limited to) [i]dentities and credentials are managed for authorized devices and users and [n]etwork integrity is protected. 19 Informative References for [i]dentities and credentials are managed for authorized devices and users include the following: ISA 99.02.01 4.3.3.5.1 COBIT DSS05.04, DSS06.03 SO/IEC 27001 A.11 NIST SP 800-53 Rev. 4 AC-2, AC-5, AC-6, IA Family 9 NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments (Oct. 22, 2013), available at http://www.nist.gov/itl/cybersecurity-102213.cfm. 10 Cybersecurity Framework, at 2. 11 Id. at 5. 12 This is to [d]evelop the institutional understanding to manage cybersecurity risk to 243 organizational systems, assets, data, and capabilities. Id. at 6. 13 This is to [d]evelop and implement the appropriate safeguards, prioritized through the organization s risk management process, to ensure delivery of critical infrastructure services. Id. 14 This is to [d]evelop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Id. at 7. 15 This is to [d]evelop and implement the appropriate activities, prioritized through the organization s risk management process (including effective planning), to take action regarding a detected cybersecurity event. Id. 16 This is to [d]evelop and implement the appropriate activities, prioritized through the organization s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event. Id. 17 Id. at 11. 18 Cybersecurity Framework, at 7. 19 Id.at 16-17 (Appendix A). 2

CCS CSC 16 20 The Cybersecurity Framework relies upon existing private sector and governmental cybersecurity standards, guidelines, and practices as a basis to build or augment an organization s cybersecurity risk management practices. The following Figure 1 from the Cybersecurity Framework depicts the Framework Core: NIST explains that [t]his structure ties the high level strategic view, outcomes and standards based actions together for a cross-organization view of cybersecurity activities. 21 The Framework Core is intended to facilitate cybersecurity and risk management communications within an organization, including among senior management, middle management and operational staff. In releasing the Cybersecurity Framework, NIST explained that it will foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber protections. 22 The Framework Profile In essence, the Framework Profile describes an organization s current state of cybersecurity risk management and can be used to track progress towards a target state of cybersecurity risk management. As described by NIST, the Framework Profile can be used to describe both the current state and the desired target state of specific cybersecurity activities, thus revealing gaps that should be addressed to meet cybersecurity risk management 20 Id.at 16 (Appendix A). 21 Id. at 2. 22 NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments (Oct. 22, 2013), available at http://www.nist.gov/itl/cybersecurity-102213.cfm. 3

objectives. 23 Framework Profiles are used to identify opportunities for improving cybersecurity by comparing a Current Profile with a Target Profile. 24 The Framework Implementation Tiers The Framework Implementation Tiers, which range from Partial (Tier 1) to Adaptive (Tier 4), describe the degree to which an organization s cybersecurity practices exhibit desirable characteristics. The Tiers consider cybersecurity risk management practices, the level of awareness of cybersecurity risk at the organizational level, and the processes, or lack thereof, in place to coordinate or collaborate with other entities. By way of example, considering the risk management aspect, at Tier 1 [o]rganizational cybersecurity risk management practices are not formalized and risk is managed in an ad hoc and sometimes reactive manner. 25 At Tier 2, [r]isk management practices are approved by management but may not be established as organizational-wide policy. 26 At Tier 3, [t]he organization s risk management practices are formally approved and expressed as policy. 27 At Tier 4, [t]hrough a process of continuous improvement, the organization actively adapts to a changing cybersecurity landscape and responds to emerging/evolving threats in a timely manner. 28 Implementation The Cybersecurity Framework is voluntary--at least for now. NIST has explained that the Framework complements, and does not replace, an organization s existing business or cybersecurity risk management process and cybersecurity program. 29 The Cybersecurity Framework can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. 30 Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management. Importantly, the Cybersecurity Framework can be used as a means to communicate an organization s required cybersecurity standards to business partners. As stated by NIST, [t]he Framework provides a common language to communicate requirements among interdependent partners responsible for the delivery of essential critical infrastructure services, such as, for example, the utilization of a Target Profile to express requirements to an external service provider (e.g., a cloud provider) to which it is exporting data. 31 This is significant because the cybersecurity shortcomings of cloud and other providers can have a profound impact on supply chains. As explained by NIST: 23 Cybersecurity Framework, at 7. NIST further describes the Framework Profile as a tool to enable organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organization and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Id. 24 Id. at 3. 25 Id. at 9. 26 Id. at 10 27 Id. 28 Id. 29 Id. at 2. 30 Id. at 11. 31 Id. at 12. 4

All organizations are part of, and dependent upon, product and service supply chains. Supply chains consist of organizations that design, make, source, and deliver products and services. Disruptions in one part of the supply chain may have a cascading and adverse impact on organizations throughout the supply chain, both up and downstream, and across multiple sectors and subsectors. Although many organizations have robust internal risk management processes, there remain challenges related to criticality and dependency analysis, collaboration, information sharing, and trust mechanisms throughout the supply chain. As a result, organizations continue to struggle to identify their risks and prioritize their actions due to these operational dependencies and the weakest links are susceptible to penetration and disruption. Supply chain risk management, particularly in terms of product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge, and fragmented standards and best practices. 32 Incentives -- And Insurance As of yet unspecified governmental incentives will be offered to organizations that adopt the framework. The Executive Order directs the Secretary of Homeland Security, in coordination with sector-specific agencies, to establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities, called the Program, and to coordinate establishment of a set of incentives designed to promote participation in the Program. 33 On August 6, the White House previewed a list of possible incentives, including Cybersecurity Insurance at the top of the list. 34 If Cybersecurity Insurance is adopted as an incentive, organizations that participate in the Program may, for example, enjoy more streamlined underwriting and reduced cyber insurance premiums. As stated by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, agencies have suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program and that [t]he goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market. 35 Mr. Daniel states that NIST is taking steps to engage the insurance industry in further discussion on the Framework. 36 The placement of Cybersecurity Insurance at the top of a list of possible incentives underscores the important role that insurance can play in an organization s overall strategy to manage and mitigate cybersecurity risk, including supply chain disruption. 37 Adam Sedgewick, Senior Information Technology Policy Advisor at NIST, stated in a recent interview that NIST views the insurance industry as a major stakeholder [in] helping 32 Id. at 39. 33 Executive Order, Section 8(a, d). 34 Michael Daniel, Incentives to Support Adoption of the Cybersecurity Framework, The White House Blog (Aug. 6, 2013), available at http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework. 35 Id. Other potentially significant incentives include leveraging federal grant programs, limitations on liability, including reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements, and optional public recognition for participants in the Program and their vendors. Id. 36 Id. 37 See Roberta D. Anderson, Insurance Coverage for Cyber Attacks, THE INSURANCE COVERAGE LAW BULLETIN, Vol. 12, Nos. 4 & 5 (May-June 2013). 5

organizations manage their cyber risk. 38 All of this is consistent with the SEC s guidance on cybersecurity disclosures under the federal securities laws, which advises that appropriate disclosures may include, among other things, a [d]escription of relevant insurance coverage for cybersecurity risks. 39 Request For Comment NIST is seeking comments on the Cybersecurity Framework 40 and organizations have a unique opportunity to potentially shape the final Cybersecurity Framework. Both written and electronic comments should be submitted using the comment template form available electronically from the NIST website 41 and are due by December 13, 2013. The final version of the Cybersecurity Framework is due to be released in February 2014. * * * * * Our Cybersecurity practice group is uniquely positioned to assist our clients in all aspects of addressing and mitigating cyber risks, including assisting our clients to understand the scope, impact, applicability, and implications of the President s Executive Order, Presidential Policy Directive 21, and the developing Cybersecurity Framework and Program incentives. Author: Roberta D. Anderson roberta.anderson@klgates.com +1.412.355.6222 Other Contacts: Bruce J. Heiman bruce.heiman@klgates.com +1.202.661.3935 David A. Bateman david.bateman@klgates.com +1.206.370.6682 Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South America and represents leading global corporations, growth and middle-market companies, capital markets participants and 38 See Janet Aschkenasy, NIST to engage insurance as tool to manage cyber risk, Advisen (Oct 28, 2013 ) (quoting Mr. Sedgewick). 39 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 40 78 FED. REG. 64478 (2013). 41 http://www.nist.gov/itl/ 6

entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. 2013 K&L Gates LLP. All Rights Reserved. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information