Apr 182018

NIST Updates Cybersecurity Framework

Alan Charles Raul
,

*This article first appeared on Law360 on April 17, 2018

On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework.  Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 is a must do for all CEO’s.”  Version 1.1 is dated April 16, 2018.

The new version focuses substantially more on supply chain risks and management than the prior iteration, and also stresses the importance of focusing on: effective internal communications among technical and non-technical personnel, threat intelligence and information sharing, as well as increased collaboration with relevant outside parties.

Significantly, version 1.1 adds important material regarding cybersecurity “governance,” including heightened attention to integrated risk management and budgeting by senior executives; the importance of senior cybersecurity and non-cybersecurity executives communicating regularly regarding cybersecurity risk; and, the responsibility of senior executives ensuring consideration of cybersecurity through all lines of operation in the organization.

As with the first version of NIST’s Cybersecurity Framework, all companies should review the new version, determine its potential utility, and consider adopting, adapting or comparing the new Framework for use within their own cyber ecosystems.  Boards of Directors should also be generally familiar with the Framework, and encourage management to discuss potential application or implications of the document for addressing their companies’ own cyber risks.

The Framework was originally developed to focus on energy, banking, communications, and defense sectors, but has been adopted voluntarily by a much broader group of companies and government agencies.  The revision process began in 2015, and involved extensive public engagement with interested parties, two draft publications, over two hundred comments and over 1200 participants in workshops conducted in 2016 and 2017.

Like its predecessor, the new Framework adopts a practical, flexible and cost-conscious approach.  For example, the revised introduction notes that “similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization’s overall risk management.”

NIST identifies the following topics as the subjects of the most significant updates in version 1.1:

  • authentication and identity,
  • self-assessing cybersecurity risk,
  • managing cybersecurity within the supply chain and
  • vulnerability disclosure.

NIST provides a link to the new version that is marked-up to show redlined changes from version 1.0, including a summary chart of changes made between versions 1.0 and 1.1.

The new document stresses that the Framework is primarily “a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements” rather than a means to establish compliance with a defined set of external standards.  The revised version explains the Framework’s utility to different organizations as providing a flexible way to address cybersecurity including physical and “people” dimensions, as well as IT systems, industrial control systems, and Internet of Things (IoT) devices.

Version 1.1 also acknowledges that the concept of “compliance” with the voluntary provisions and flexible standards of the Framework is incongruous, and “can be confusing and mean something very different to various stakeholders.”  NIST presumably highlights this metaphysical tension in order to emphasize that the Framework is “not a one-size-fits-all approach to managing cybersecurity risk,” and that  companies have “unique risks – different threats, different vulnerabilities, different risk tolerances.” The Framework affirmatively encourages organization to customize their practices under the Framework rather than impose the Framework lock, stock and barrel.

The significant new material in version 1.1 includes detailed consideration of supply chain risks.  The revised Framework indicates that the primary objective supply chain risk management (SCRM) is to identify, assess, and mitigate the risk of products and services that “may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.” Highlighted SCRM activities may include setting cybersecurity requirements for suppliers, specifying cybersecurity requirements through contracts, telling suppliers how those cybersecurity requirements will be verified and validated, and verifying that cybersecurity requirements are satisfied through appropriate assessment methodologies.

Other key new areas developed in the revised Framework include threat intelligence and information sharing and enhanced internal communications.  The new document encourages organizations to understand their role in the larger cyber ecosystem and should consider collaboration and information sharing.  With regard to intra-organization information sharing, version 1.1 suggests that senior cybersecurity and non-cybersecurity executives should communicate regularly regarding cybersecurity risk.

Significantly, the revised Framework recommends thatsenior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance.”

In the closing pages of the document, the new framework adds a new definition for “cybersecurity incident” on top of the prior definition for “cybersecurity event.” Accordingly, version 1.1 now contains these two definitions (emphases added):

·         “Cybersecurity Event: A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).”
·         “Cybersecurity Incident: A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.”

Based on the new nomenclature, the hierarchy of cyber occurrences in increasing order of seriousness are: cyber changes, events, and incidents.  “Events” prompt the need for investigation, assessment and judgment.  “Incidents” prompt the need for response and recovery.  The document does not define or even use the term “breach.”

In all, NIST has once again produced a useful, flexible document that can be applied or adapted, in whole or in part, voluntarily, by a wide range of companies.  The document remains free of prescriptive language and ideological content. It does not re-invent cybersecurity wheels.  Rather, it identifies and correlates a broad range of existing standards developed previously by NIST, or by other private standard-setting bodies like ISO or COBIT.  The document is still easy to read, and should be entirely accessible to executives, directors and non-technical personnel.  Bravo NIST and the Department of Commerce!

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).