Jan 132017

NIST Issues Draft Revision to Cybersecurity Framework

Alan Charles Raul and Cameron F. Kerry
, , ,

The National Institute of Standards & Technology (NIST) has issued a revised draft version of its Cybersecurity Framework. The document is issued as “Version 1.1″ of the existing framework, redlined to show changes from the original framework issued almost three years ago. It is a draft, seeking comment. No period for public comment is specified, except that NIST expects to hold a public workshop on the revised draft “around the fall of 2017.”

Some key changes from the 2014 document are:

  • The addition of supply chain risk management to the framework. Supply chain risk management (a) is introduced as a factor in characterizing Implementation Tiers, (b) is discussed at some length in the description of how to use the Framework, and (c) is added to the “Identify” Core Function as part of initial risk assessment and standards mapping, along with references to standards on supply chain management.
  • The addition of identity management to access controls as part of the “Protect” Core Function, also with references to standards.
  • The addition of an entirely new section on cybersecurity metrics in the description of Framework implementation, including a detailed discussion of types of measurement.
  • The addition in the section on metrics of a discussion of “correlation to business results.” In connection with cybersecurity metrics, the proposed revision recognizes that “the relative cost effectiveness of various cybersecurity activities is an important consideration,” but is a complex factor that varies within a company from the board level, to senior executives, and to those who report to senior executives. Cost-effectiveness is described as achieving a business objective using minimum cybersecurity effort and expense.  The new text highlights management metrics to enable cybersecurity to be factored into enterprise risk management more effectively.

The NIST Cybersecurity Framework was nominally aimed at critical infrastructure but, because it explicitly avoided a one-size-fits-all approach, it has proved widely adaptable to and adopted by organizations of all kinds. The revised draft embraces this wide application by adding a discussion of the relationship between the Framework and other guidelines for federal agencies, as well as additional explanation of how to use the Framework that makes it more accessible to different kinds of organizations.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Cameron F. Kerry

ckerry@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.