October 21, 2013 06:13PM ET

Key Development:

NIST said close to releasing draft cybersecurity “framework” for private sector, as part of executive order implementation.

Next Steps:

Agency poised to make announcement as soon as Oct. 22, spokeswoman says.
(BNA) — Cybersecurity
The National Institute of Standards and Technology (NIST) is close to unveiling a draft cybersecurity “framework” for the private sector, a key step in a larger effort directed by the White House, an agency spokeswoman told Bloomberg BNA Oct. 21.
An announcement might come as soon as Oct. 22, according to NIST spokeswoman Jennifer Huergo.
Under an executive order signed by President Barack Obama earlier this year, NIST has been charged with leading the development of a framework with voluntary cybersecurity standards for U.S. owners and operators of “critical infrastructure,” such as power plants and water systems.
“It’s a game changer in the sense that there’s nothing else like this out there right now,” Jessica Herrera-Flanigan, a partner at the Monument Policy Group, told Bloomberg BNA Oct. 21. “It definitely raises the stakes from where we were a year ago.”
The framework could potentially establish a “standard of care” for the business community and end up being used to determine whether a company is liable in cybersecurity-related litigation, according to Benjamin Powell, a partner at Wilmer, Cutler, Pickering, Hale and Dorr LLP.
“I don’t think this is just a general, meaningless ‘security is good’ type framework,” Powell told Bloomberg BNA. “And I think companies that ignore it may end up with significant risk.”

Incentives Weighed

Meanwhile, the Obama administration is exploring the possibility of tying the framework to such incentives as liability protections, grants, cyberinsurance and government contracts. However, it is currently unclear how much will ultimately come out of the incentive effort, particularly when it comes to areas where the administration will need to work with the currently gridlocked and divided Congress, according to analysts (191 DER C-1, 10/2/13).
The president issued his executive order after Congress failed to reach agreement on cybersecurity in 2012. As part of the White House initiative, the Department of Homeland Security is required to coordinate the development of a program to promote the framework once it is finalized. In addition, regulatory agencies must review any existing cybersecurity mandates to assess whether they are adequate in light of the final framework.
While primarily designed for critical infrastructure entities and their partners, the framework is expected to benefit a broader array of organizations across the private sector that are facing mounting cyberthreats, according to NIST, a division of the Department of Commerce.
NIST was originally scheduled to publish a draft framework by Oct. 10. However, the effort was delayed because of the recent federal government shutdown (198 DER A-6, 10/11/13). The president’s order requires NIST to produce a final framework by February 2014.
A preliminary document, released in August, outlined five core cybersecurity functions:

  • Identify—Develop the institutional understanding of the organizational systems, assets, data and capabilities that need to be protected.
  • Protect—Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.
  • Detect—Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond—Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
  • Recover—Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.

“Cybersecurity risk is a reality that organizations must understand and manage to the level of fidelity of other business risks that can have critical impacts,” an overview of the preliminary document said. “Much like reputational, financial, supplier, and other risks, organizations must manage cybersecurity risk in order to gain and maintain customers, reduce cost, increase revenue, and innovate. If your company is publicly traded, for example, your Board of Directors should be aware of cybersecurity risk and the steps your organization must take to manage this risk.”