NIST Holds Third Workshop on Cybersecurity Framework Development, Identifies Greatest-Risk Critical Infrastructure

6 min

On July 10-12, 2013 in San Diego, the National Institute of Standards and Technology (“NIST”) held its third workshop on critical infrastructure cybersecurity pursuant to President Obama’s February Executive Order, which requires NIST to promulgate a Cybersecurity Framework within one year of the Order’s issuance. In addition, on July 19, 2012, the Department of Homeland Security (“DHS”) was obligated under the Executive Order to identify critical infrastructure at greatest risk. The Secretary of DHS will confidentially notify owners and operators of critical infrastructure regarding this identification and will provide the basis for the determination. Owners and operators may request reconsideration of “greatest risk” determinations, however a process for such appeals has not been publically released.

NIST will host a final Cybersecurity Framework workshop on September 11-13, 2013 at the University of Texas at Dallas before issuing the preliminary Cybersecurity Framework for public comment on October 10, 2013. In particular, owners and operators of greatest-risk critical infrastructure, as well as any other entities wishing to take advantage of potential incentives for adopting the Framework, may wish to participate in this final stage of piecing together the preliminary Framework. Venable will also continue to cover the Framework development process.

Risk Management Approach

Prior to the Workshop, NIST released a Draft Outline of the Framework along with two companion documents: a Draft Outline core and a Draft Outline compendium. NIST created these documents using comments from stakeholders submitted in response to NIST’s Request for Information issued in February 2013 regarding current cybersecurity practices as well as the outputs of NIST’s prior workshop in Pittsburgh in May of 2013.

The Draft Outline’s risk management approach is divided into five key functions: Know, Prevent, Detect, Respond, and Recover, defined as follows.

Know - Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals.

Prevent - Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.

Detect - Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.

Respond - Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.

Recover - Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.

Each function will be structurally divided into categories and subcategories, which are logical subdivisions of functions and categories, respectively. Examples of potential categories could include “know the enterprise assets and systems” and “implement risk monitoring and detection,” while examples of the more granular sub-categories could include “inventory hardware assets” and “restrict and protect remote access.” Both categories and subcategories may be paired with so-called “informative references” to existing standards, practices, and guidelines, which are collected in the Draft Compendium, in order to provide detailed guidance on effective practices specific to the category or sub-category in question.

The objectives of the third workshop were to discuss the Draft Outline, generate content for the preliminary Framework (i.e. add categories, subcategories, and informative references to each of the five functions), and discuss specific topics that inform the preliminary Framework. NIST plans to release a first draft of the preliminary Framework in August, in advance of the final workshop in Dallas on September 11-13.

Framework Implementation Levels

The Draft Outline also includes Framework Implementation Levels (“FILs”), which express, by role, the characteristics of the level of maturity of an organization for each function, category, and subcategory. FILs are provided for officials at three levels – senior executives, business process managers, and operations managers – as well as for, currently, three levels of organizational maturity, i.e. FIL 1, FIL 2, and FIL 3.

DHS Performance Goals

At the workshop, DHS also revealed its draft performance goals, which are required under section 7(d) of the Executive Order. DHS emphasized that the performance goals are not designed to measure implementation of the Framework and that they focus on “the direction we want to move in” as a nation, not individual entities.

The performance goals currently consist of “vision” and “strategic performance goal" statements, as well as “primary performance goals” (“PPGs”) and “supporting performance goals” (“SPGs”). The proposed performance goals are as follows.

Vision - The American People will have a high level of confidence that essential services and products1 will continue to be delivered to critical customers2 in the face of most cyber incidents.

Strategic Performance Goal - Organizations mitigate the consequences of cyber threats and vulnerabilities to their business functions, and to national economic security, public health, and safety, through enterprise risk management and the appropriate mix of prevention, detection, response, and resilience measures.

PPG 1 - During and following a cyber incident, essential services and products continue to be delivered with a high degree of reliability, resiliency, safety, and integrity.

PPG 2 - Intellectual property and personal information are protected to maintain the confidentiality of proprietary information and ensure privacy and civil liberties.

SPG 1 - Capabilities are built and sustained to prevent, detect, respond to, recover, and learn from cyber incidents as part of an ongoing enterprise risk management process.

SPG 2 - Functions critical to the delivery of essential services and products are sustained, or otherwise rapidly restored, over the course of a cyber incident.

SPG 3 - Preparedness and resilience are continuously improved based on lessons learned from incidents, exercises, and other activities.

DHS emphasized that the performance goals are a work in progress. DHS’s Framework Collaboration Working Group meets every Wednesday to discuss the performance goals and other Framework-related issues, and membership is open to stakeholders. Entities interested in joining or providing feedback to DHS can email

Venable will continue to follow closely NIST’s progress on the development of the Cybersecurity Framework, including the remaining workshop and issuance of the preliminary Framework for public comment. With just one workshop left before the preliminary Cybersecurity Framework is released for public comment, readers may have questions about the impact the Cybersecurity Framework will have on their respective businesses. Venable’s attorneys are well-positioned to answer any such questions, having participated in and attended all relevant meetings conducted by NIST since the Executive Order was released in February.

Venable LLP offers a broad array of legal services to a variety of different players within the cybersecurity arena.  Our attorneys are adept at understanding complex client issues and tapping into the extensive experience of our many practice areas including privacy and data security, e-commerce, intellectual property, government contracting, telecommunications, energy, and corporate.

If you have any questions concerning this alert, please contact any of the listed authors.

1 The terms “essential services and products” is currently defined as “those services and products upon which security, national economic security, national public health or safety, or any combination of those matters is dependent.”

2 The term “critical customer” is currently defined as “a recipient of essential services and products who, in turn, provides or produces essential services and products.”