November 12, 2014
Practice Groups:
Intro to Cybersecurity Framework: New Mandatory
NIST Standards for Government Contractors?
Government
Contracts &
Procurement Policy;
U.S. Government Contracts & Procurement Policy Alert
Global Government
Solutions
Cybersecurity remains one of the most important and least understood issues of the day.
Last week, the National Institute of Standards and Technology (NIST) hosted a workshop in
Tampa, Florida, to receive private sector feedback on Version 1.0 of its Cybersecurity
Framework (CSF), released on February 12, 2014. The purpose of the workshop, NIST
advertised, was to gather input on users’ initial experiences with the framework “with a focus
on resources to help organizations use the Framework more effectively and efficiently.”
While certainly optimistic, the agenda might be too ambitious for the private sector, where
awareness of the NIST standards remains low.
By: Stuart B. Nibley and Amy M. Conant
How does your organization measure up to the NIST Framework?
The NIST Framework stemmed from Executive Order 13636, Improving Critical
Infrastructure Cybersecurity.”1 E.O. 13636 directed NIST to develop a voluntary
cybersecurity framework. The purpose of the framework was to provide a baseline for
organizations: “a set of standards, methodologies, procedures, and processes that align
policy, business, and technological approaches to address cyber risks.” The resulting
Cybersecurity Framework allows an organization to understand and shape its cybersecurity
program using five functions—identify, protect, detect, respond, and recover:2
•
Identify cybersecurity risk to systems, assets, data, and capabilities. These
activities are foundational for effective use of the Framework. Understanding the
business context, the resources that support critical functions, and the related
cybersecurity risks enables an organization to focus and prioritize its efforts,
consistent with its risk management strategy and business needs.
•
Protect critical infrastructure by developing and implementing appropriate
safeguards. This function supports the ability to limit or contain the impact of a
potential cybersecurity event.
•
Detect breaches by developing and implementing appropriate activities to identify
the occurrence of a cybersecurity event.
•
Respond to breaches by developing and implementing appropriate activities to take
action regarding a detected cybersecurity event. This function supports the ability to
contain the impact of a potential cybersecurity event.
•
Recover from a cybersecurity event using appropriate activities to maintain plans for
resilience and to restore capabilities or services that were impaired.
Intro to Cybersecurity Framework: New Mandatory NIST
Standards for Government Contractors?
What does the NIST Framework mean for Government contractors?
While the NIST Framework is still voluntary, Government contractors should be on the
lookout for agencies using the Framework to develop their own standard cybersecurity
requirements in contracts. A January 2014 Department of Defense and General Services
Administration joint report, “Improving Cybersecurity and Resilience through Acquisition,”
recommended the institution of “baseline cybersecurity requirements as a condition of
contract award for appropriate acquisitions” and a “federal acquisition cyber risk
management strategy,” both of which suggest that the NIST Framework could become
de facto mandatory for Government contractors.
Be wary of NIST tunnel vision.
One of the biggest takeaways from the NIST workshop last week is that there is no such
thing as being “CSF-compliant.” The NIST Framework is specifically designed not to be a
checklist, and even states that it is “not a one-size-fits-all approach to managing
cybersecurity risks for critical infrastructure,” because “organizations will continue to have
unique risks…and how they implement the practices in the Framework will vary.” Although
Government contractors must be aware of cybersecurity’s evolving regulatory landscape and
should use the NIST Framework accordingly, the takeaway from Tampa is clear: use the
NIST Framework, but tailor implementation to your company’s own unique risks and needs
. . . and watch for incorporation of the NIST Framework into Government contracts as
mandatory requirements.
Authors:
Stuart B. Nibley
stu.nibley@klgates.com
+1.202.778.9428
Amy M. Conant
amy.conant@klgates.com
+1.202.778.9468
2
Intro to Cybersecurity Framework: New Mandatory NIST
Standards for Government Contractors?
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five
continents. The firm represents leading multinational corporations, growth and middle-market companies, capital
markets participants and entrepreneurs in every major industry group as well as public sector entities, educational
institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations,
practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2014 K&L Gates LLP. All Rights Reserved.
1
2
Exec. Order No. 13636
NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.0
3