On December 5, 2014, the National Institute of Standards and Technology released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity . NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order.
The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.
Read Hunton & Williams’ Privacy and Information Security Law Blog
The December 5 update reviews a number of issues related to Framework implementation. Most notably, the update reports there is general awareness of the framework among critical infrastructure sectors, though that awareness could be improved among smaller and medium-sized businesses.
Stakeholders also indicated the Framework, particularly the common practices outlined in the Framework’s Core, is providing a means to communicate expectations within and among companies and other entities in a sector. NIST found that although some stakeholders are using the Framework as a benchmark for operations, others are explicitly avoiding using the Framework as a benchmark for operations.
In that regard, NIST reports that among the Framework’s three components – the Core, Profile and Implementation Tiers – the Implementation Tiers “appear to be the least-used part of the Framework.”
In other words, although the Framework is being adopted as a common means to examine cybersecurity systems, stakeholders are less likely to use the Framework to judge implementation of that system. Many stakeholders requested guidance on “real world” use of the Implementation Tiers. Others, though, continue to express reservation that the Framework could be used as a regulatory device.
NIST states that it is still too early to update the Framework as more time is needed to understand the current version. NIST indicates, however, that it will focus on providing guidance in the coming months on using the implementation tiers. In addition, NIST noted calls from stakeholders for regulatory agencies to promote the use of the Framework “by clear statements about the voluntary nature of the document.”
While NIST currently does not have any formal opportunities to comment on the Framework, it is accepting feedback via at [email protected].
Since 2001, the firm has been home to the Centre for Information Policy Leadership at Hunton & Williams, a privacy think tank and consulting practice that provides strategic consulting services and helps members develop global privacy and data security strategies for the digital age.
Hunton & Williams LLP provides legal services to corporations, financial institutions, governments and individuals, as well as to a broad array of other entities. Since our establishment more than a century ago, Hunton & Williams has grown to more than 800 attorneys serving clients in 100 countries from 19 offices around the world. In addition to privacy and cybersecurity, the depth and breadth of our experience extends to more than 100 practice areas, including bankruptcy and creditors rights, commercial litigation, corporate transactions and securities law, intellectual property, international and government relations, regulatory law, products liability.
