NIST Issues Voluntary Cybersecurity Framework
On February 12, 2014, as directed by President Obama in Executive Order No. 13636, the National Institute for Standards and Technology (NIST), an agency within the Department of Commerce, released the final Cybersecurity Framework (Framework). While the Framework is intended to be voluntary, and is designed to facilitate the establishment of a national set of standards for cyber risk management across all segments of the economy, the manner in which the Framework will be implemented by and through the Sector-Specific Agencies, such as DOE, remains to be seen. Electric and gas utilities, among other business segments, should closely follow the implementation of the Framework to ensure that the industries’ unique issues, including cost recovery and liability protection, are adequately considered.
The Framework was created through collaboration between government and the private sector. Because the Framework is intended to guide cyber efforts across many industries, the Framework uses a common language to address and manage cybersecurity risk. The Framework consists of three parts: the Framework Core, the Framework Implementation Tiers and the Framework Profile.
Accompanying the Framework is the NIST Roadmap. The Roadmap notes that the Framework will continue to be updated and improved as industry participants provide feedback on implementation. To that end, NIST intends to hold at least one workshop within six months to provide a forum for stakeholders to share experiences in using the Framework. NIST also expects to transition the responsibility for the Framework to an unidentified, non-governmental organization.
Also on February 14, the Department of Homeland Security launched the Critical Infrastructure Cyber Community C 3 (pronounced “C-Cube”) Voluntary Program. The intent of the C 3 Voluntary Program is to: (1) support industry in increasing its cyber resilience; (2) increase awareness and use of the Framework; and (3) encourage organizations to manage cybersecurity as part of an all-hazards approach to enterprise risk management. The C 3 Voluntary Program’s focus during the first year will be engagement with Sector-Specific Agencies and organizations using the Framework to develop guidance on how to implement the Framework. The first meeting of the C 3 Voluntary Program is February 19. The Sector-Specific Agency for the electricity and gas industries is the Department of Energy.
Missing from the various releases on February 12 is any discussion of incentives (including the liability protections mentioned in the Treasury Department’s report on incentives) for the industry to implement the Framework. An earlier release by DHS noted that engagement on incentives will occur during the voluntary program, but nothing was mentioned about incentives in the Framework or Roadmap, or in the description of the C 3 Voluntary Program. Moreover, while the Framework notes that the Framework is “voluntary,” none of the releases on February 12 addressed a statement made by the Treasury Department in its report that adopting the Framework could satisfy a duty of care for purposes of determining liability. The Framework also did not address the Treasury recommendations against establishment of new tax incentives or the creation of a government program for cyber insurance.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.