February 2014
NIST Unveils Cybersecurity Framework
Practice Group(s):
By Roberta Anderson
Cyber Law and
Cybersecurity
On February 12th, the National Institute of Standards and Technology (NIST) released its
long-anticipated Framework for Improving Critical Infrastructure Cybersecurity1 together with
a companion Roadmap for Improving Critical Infrastructure Cybersecurity.2 The Framework
is issued in accordance with President Obama’s February 19 Executive Order 13636,
Improving Critical Infrastructure Cybersecurity Version 1.0., 3 which tasked NIST with
developing a cost-effective Framework “to reduce cyber risks to critical infrastructure.”4 The
companion Roadmap discusses NIST’s next steps with the Framework and identifies key
areas of development, alignment of cybersecurity standards and practices within the U.S.
and globally and collaboration with private and public sector organizations and standardsdeveloping organizations.
Insurance Coverage
The Framework applies to organizations in critical infrastructure. 5 But, given the
pervasiveness of cybersecurity incidents, and the ever-present, increasing, and evolving
cyber risk threat, all organizations should consider whether their current cybersecurity risk
management practices would pass muster under the Framework. In addition, although the
Framework is “voluntary”—at least so far—organizations are advised to keep in mind that
creative class action plaintiffs (and even some regulators) may nevertheless assert that the
Framework provides a “de facto” standard for cybersecurity and risk management even for
non critical infrastructure organizations. One thing that companies should consider as they
review the Framework is what “Tier” of cybersecurity risk management they wish to achieve.
The Tiers—which range from “informal, reactive” responses to “agile and risk-informed” are
addressed below, together with an overview of the Framework and additional detail
regarding certain of its key aspects.
Overview
At a high level, as its name indicates, the Framework provides a framework for critical
infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and
risk management practices, to identify gaps that should be addressed in order to progress
towards a desired “target” state of cybersecurity risk management, and to internally and
externally communicate efficiently about cybersecurity and risk management.
1
The Cybersecurity Framework is available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
NIST developed the Framework based on information gathered over the past year, including a Request for Information published in
the Federal Register and a series of four open public workshops held at various locations throughout the United States. See Roberta
Anderson, NIST Unveils Preliminary Cybersecurity Framework, K&L Gates Cybersecurity Alert (Nov. 25. 2013), available at
http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/
2
The Roadmap is available at http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf
3
78 FED. REG. 11737 (2013). The Executive Order is available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.
4
Executive Order, Section 7(a).
5
“Critical infrastructure” organizations include those in the chemical, communications, critical manufacturing, defense, financial
services, energy, healthcare, and information technology sectors, among others. The Presidential Policy Directive/PPD 21, Critical
Infrastructure Security and Resilience, (Feb. 12, 2013), available at http://www.fas.org/irp/offdocs/ppd/index.html (reference “PPD
21”), identifies 16 critical infrastructure sectors.
NIST Unveils Cybersecurity Framework
Building from global standards, guidelines, and practices, the Framework provides a
common taxonomy and mechanism for organizations to:
1. Describe their current cybersecurity posture;
2. Describe their target state for cybersecurity;
3. Identify and prioritize opportunities for improvement within the context of a continuous and
repeatable process;
4. Assess progress toward the target state;
5. Communicate among internal and external stakeholders about cybersecurity risk.
NIST has emphasized that the Framework “complements, and does not replace, an
organization’s risk management process and cybersecurity program.” 6 In addition, NIST
properly notes that the Framework “is not a one-size-fits-all approach” to managing
cybersecurity risk, given that organizations “have unique risks—different threats, different
vulnerabilities, different risk tolerances.7
In releasing the Framework, NIST explained that it provides a structure that organizations,
regulators, and customers can use to create, guide, assess, or improve comprehensive
cybersecurity programs and “a common language to address and manage cyber risk in a
cost-effective way” based on business needs, without placing additional regulatory
requirements on businesses.”8 NIST also notes that organizations can use the framework
“to determine their current level of cybersecurity, set goals for cybersecurity that are in sync
with their business environment, and establish a plan for improving or maintaining their
cybersecurity.” 9 Moreover, because it references globally recognized standards for
cybersecurity, the Framework can also be used by organizations located outside the United
States and can serve as a model for international cooperation on strengthening critical
infrastructure cybersecurity.
Although applying to organizations in critical infrastructure, the Framework may be used by
any organization as part of its effort to assess cybersecurity practices and manage
cybersecurity risk.
Three-Part Approach
The Framework adopts a risk-based approach composed of three parts: the Framework
Core, Framework Profile, and Framework Implementation Tiers.
Framework Core
The Framework relies upon existing global cybersecurity standards, guidelines, and
practices as a basis to build or enhance an organization’s cybersecurity risk management
practices.
6
Framework, at 4.
Id. at 2.
8
NIST Releases Cybersecurity Framework Version 1.0 (Feb. 12, 2014), available at http://www.nist.gov/itl/csd/launch-cybersecurityframework-021214.cfm.
9
Id.
7
2
NIST Unveils Cybersecurity Framework
The Framework Core presents five high-level “Functions,” which, as stated by NIST,
“organize basic cybersecurity activities at their highest level.” 10 The five Functions are:
(1) Identify, 11 (2) Protect, 12 (3) Detect, 13 (4) Respond, 14 and (5) Recover. 15 NIST explains
that these five high-level Functions “provide a high-level, strategic view of the lifecycle of an
organization’s management of cybersecurity risk”16 and will provide “a concise way for senior
executives and others to distill the fundamental concepts of cybersecurity risk so that they
can assess how identified risks are managed, and how their organization stacks up at a high
level against existing cybersecurity standards, guidelines, and practices.”17
For each of the five Functions, the Framework Core identifies underlying key “Categories”
and “Subcategories” of cybersecurity outcomes, and then matches those outcomes with
“Informative References” that will assist organizations in achieving the outcomes, such as
existing cybersecurity standards, guidelines, and practices. By way of example, Categories
within the “Protect” Function include Access Control, Awareness and Training, Data Security,
Information Protection Processes and Procedures, and Protective Technology. 18
Subcategories under the “Access Control” Category within the Protect Function include (but
are not limited to) “[i]dentities and credentials are managed for authorized devices and users”
and “[n]etwork integrity is protected, incorporating network segregation where appropriate.”19
“Informative References” for “[i]dentities and credentials are managed for authorized devices
and users” include the following:
• CCS CSC 16
• COBIT 5 DSS05.04, DSS06.03
• ISA 62443-2-1:2009 4.3.3.5.1
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
• NIST SP 800-53 Rev. 4 AC-2, IA Family20
The following Figure 1 (Framework Core Structure) from the Framework depicts the
Framework Core:
10
Framework, at 7.
This is to “[d]evelop the organizational understanding to manage cybersecurity risk to systems, assets, data, and
capabilities.” Id. at 8.
12
This is to “[d]evelop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.” Id.
13
This is to “[d]evelop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” Id.
14
This is to “[d]evelop a and implement the appropriate activities to take action regarding a detected cybersecurity event.”
Id.
15
This is to “[d]evelop and implement the appropriate activities to maintain plans for resilience and to restore any
capabilities or services that were impaired due to a cybersecurity event.” Id. at 9.
16
Id. at 4.
17
Id. at 13.
18
Id.at 19 (Appendix A).
19
Id.at 23-24 (Appendix A).
20
Id.at 23 (Appendix A). Additional supporting material relating to the Framework can be found on the NIST website at
http://www.nist.gov/cyberframework/.
11
3
NIST Unveils Cybersecurity Framework
NIST explains that the Core “presents industry standards, guidelines, and practices in a
manner that allows for communication of cybersecurity activities and outcomes across the
organization from the executive level to the implementation/operations level.”21
Implementation Tiers
The Framework Implementation Tiers describe the degree to which an organization’s
cybersecurity risk management practices exhibit the characteristics defined in the
Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an
increasing degree of rigor and sophistication in cybersecurity risk management practices and
“the extent to which cybersecurity risk management is informed by business needs and is
integrated into an organization’s overall risk management practices.” 22 By way of example,
considering the risk management aspect, at Tier 1 “[o]rganizational cybersecurity risk
management practices are not formalized, and risk is managed in an ad hoc and sometimes
reactive manner.”23 At Tier 2, “[r]isk management practices are approved by management
but may not be established as organizational-wide policy.”24 At Tier 3, “[t]he organization’s
risk management practices are formally approved and expressed as policy” and
“[o]rganizational cybersecurity practices are regularly updated based on the application of
risk management processes to changes in business/mission requirements and a changing
threat and technology landscape.”25 At Tier 4, “[t]he organization adapts its cybersecurity
practices based on lessons learned and predictive indicators derived from previous and
current cybersecurity activities” and “[t]hrough a process of continuous improvement
incorporating advanced cybersecurity technologies and practices, the organization actively
adapts to a changing cybersecurity landscape and responds to evolving and sophisticated
threats in a timely manner.”26
21
Id.at 4.
Id. at 9.
23
Id. at 10.
24
Id.
25
Id.
26
Id. at 11.
22
4
NIST Unveils Cybersecurity Framework
Profile
In essence, the Framework Profile assists organizations to progress from a current level of
cybersecurity sophistication to a target improved state that meets the organization’s business
needs. As stated by NIST, a Profile is used to “identify opportunities for improving
cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target”
Profile (the “to be” state).” 27 Comparison of Profiles (e.g., the Current Profile and Target
Profile) may reveal gaps to be addressed to meet cybersecurity risk management objectives.
NIST states that the Framework Profile “can be characterized as the alignment of standards,
guidelines, and practices to the Framework Core in a particular implementation scenario.”28
Framework Implementation
The Framework is voluntary—at least for now. NIST also has explained that the Framework
“complements, and does not replace, an organization’s risk management process and
cybersecurity program.”29 Organizations can use the Framework as a reference to establish
a cybersecurity program, or leverage the Framework to “identify opportunities to strengthen
and communicate its management of cybersecurity risk while aligning with industry
practices.”30 The Framework recognizes that “[o]rganizations may choose to handle risk in
different ways, including mitigating the risk, transferring the risk, avoiding the risk, or
accepting the risk, depending on the potential impact to the delivery of critical services.”31
Importantly, the Framework can be used as a means to communicate an organization’s
required cybersecurity standards to business partners. As stated by NIST, “[t]he Framework
provides a common language to communicate requirements among interdependent
stakeholders responsible for the delivery of essential critical infrastructure services.,” such
as, for example, the utilization of a “Target” Profile “express cybersecurity risk management
requirements to an external service provider (e.g., a cloud provider to which it is exporting
data).”32 This is significant, because the cybersecurity shortcomings of “cloud” and other
providers can have a profound impact on supply chains. As noted by NIST in the Roadmap:
All organizations are part of, and dependent upon, product and service
supply chains. Supply chain risk is an essential part of the risk landscape that
should be included in organizational risk management programs. Although
many organizations have robust internal risk management processes, supply
chain criticality and dependency analysis, collaboration, information sharing,
and trust mechanisms remain a challenge. Organizations can struggle to
identify their risks and prioritize their actions—leaving the weakest links
susceptible to penetration and disruption. Supply chain risk management,
especially product and service integrity, is an emerging discipline
characterized by diverse perspectives, disparate bodies of knowledge, and
fragmented standards and best practices.33
27
Id.
Id. at 5.
Id. at 4.
30
Id.
31
Id. at 5.
32
Id. at 12.
33
Roadmap at 8.
28
29
5
NIST Unveils Cybersecurity Framework
Incentive—and Cybersecurity Insurance
As of yet unspecified governmental incentives will be offered to organizations that adopt the
Framework.
The Executive Order directs the Secretary of Homeland Security, in
coordination with sector-specific agencies, to “establish a voluntary program to support the
adoption of the Framework by owners and operators of critical infrastructure and any other
interested entities,” called the “Program,” and to “coordinate establishment of a set of
incentives designed to promote participation in the Program.”34
On August 6, 2013, the White House previewed a list of possible incentives, including
“Cybersecurity Insurance” at the top of the list.35 If Cybersecurity Insurance is adopted as an
incentive, organizations that participate in the Program may, for example, enjoy more
streamlined underwriting and reduced cyber insurance premiums. As stated by Michael
Daniel, Special Assistant to the President and Cybersecurity Coordinator, agencies have
“suggested that the insurance industry be engaged when developing the standards,
procedures, and other measures that comprise the Framework and the Program” and that
“[t]he goal of this collaboration would be to build underwriting practices that promote the
adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive
cyber insurance market.” 36 Mr. Daniel states that NIST “is taking steps to engage the
insurance industry in further discussion on the Framework.”37
The placement of “Cybersecurity Insurance” at the top of a list of possible incentives
underscores the important role that insurance can play in an organization’s overall strategy
to manage and mitigate cybersecurity risk, including supply chain disruption. 38 Adam
Sedgewick, Senior Information Technology Policy Advisor at NIST, stated that NIST views
“the insurance industry as a major stakeholder [in] helping organizations manage their cyber
risk.”39 All of this is consistent with the SEC’s guidance on cybersecurity disclosures under
the federal securities laws, which advises that “appropriate disclosures may include,” among
other things, a “[d]escription of relevant insurance coverage” for cybersecurity risks.40
Going Forward
The Framework is a “living document,” which states that it “will continue to be updated and
improved as industry provides feedback on implementation.” 41 As the Framework is put into
practice, lessons learned will be integrated into future versions to ensure it is “meeting the
needs of critical infrastructure owners and operators in a dynamic and challenging
environment of new threats, risks, and solutions.” 42 NIST will receive and consider
34
Executive Order, Section 8(a, d).
Michael Daniel, Incentives to Support Adoption of the Cybersecurity Framework, The White House Blog (Aug. 6, 2013),
available at http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
36
Id. Other potentially significant incentives include leveraging federal grant programs, limitations on liability, including “reduced tort
liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure
requirements,” and optional public recognition for participants in the Program and their vendors. Id.
37
Id.
38
See Roberta D. Anderson, Insurance Coverage for Cyber Attacks, THE INSURANCE COVERAGE LAW BULLETIN, Vol. 12,
Nos. 4 & 5 (May-June 2013).
39
See Janet Aschkenasy, NIST to engage insurance as tool to manage cyber risk, Advisen (Oct 28, 2013 ) (quoting Mr.
Sedgewick).
40
SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
41
Framework, at 2.
42
Id.
35
6
NIST Unveils Cybersecurity Framework
comments about the Framework informally until it issues a formal notice of revision to
version 1.0, at which point it will specify a focus for comments and specific deadlines that will
allow it to develop and publish proposed revisions. In addition, NIST intends to hold at least
one workshop within the next six months to provide a forum for stakeholders to share
experiences in using the Framework, and will hold one or more workshops and focused
meetings on specific areas for development, alignment, and collaboration. Therefore,
organizations will continue to have the opportunity to potentially shape the final Framework.
*
*
*
*
*
Our Cybersecurity Practice Group is uniquely positioned to assist our clients in all aspects of
addressing and mitigating cyber risks, including assisting our clients to understand the
scope, impact, applicability, and implications of the President’s Executive Order, Presidential
Policy Directive 21, and the developing Cybersecurity Framework and Program incentives.
Contacts:
Roberta D. Anderson
roberta.anderson@klgates.com
+1.412.355.6222
David A. Bateman
david.bateman@klgates.com
+1.206.370.6682
Bruce J. Heiman
bruce.heiman@klgates.com
+1.202.661.3935
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the
Middle East and South America and represents leading global corporations, growth and middle-market companies,
capital markets participants and entrepreneurs in every major industry group as well as public sector entities,
educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its
locations, practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2014 K&L Gates LLP. All Rights Reserved.
7