On October 22, 2013, the National Institute of Standards and Technology (NIST) released the preliminary Cybersecurity Framework (PCF) in accordance with section 7(e) of President Obama’s February Executive Order (EO) on critical infrastructure cybersecurity. The release date was delayed nearly two weeks because of the recent government shutdown.
Notably, the PCF release now requires regulatory agencies responsible for regulating the security of critical infrastructure to assess whether they have authority to establish “requirements” based on the Cybersecurity Framework.
NIST will submit the PCF for stakeholder feedback via an upcoming 45-day comment period, as well as at an additional workshop November 14-15 at North Carolina State University. Venable has attended all of NIST’s workshops on the Framework and will be in attendance at the upcoming workshop in Raleigh.
The PCF prompted few surprises upon its release, as it reflected relatively minor changes since the draft preliminary Cybersecurity Framework was released in August. Examples of modifications since the last draft include:
- The addition of several new subcategories;
- The renaming of the Framework Implementation Tiers from 0-3 to 1-4; and
- The expansion and addition of citations to the privacy appendix in revision 4 of NIST’s SP800-53 in the privacy protection methodology contained in the PCF’s Appendix B.
NIST did not provide additional implementation guidance, but that task may ultimately be left to DHS and the other sector-specific agencies pursuant to section 8(b) of the EO.
Agency Review Process
Section 10(a) of the EO directs regulatory agencies with responsibility for regulating the security of critical infrastructure to:
- Review the PCF and “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks;” and
- Within 90 days of publication, submit a report to the President that states:
- Whether or not the agency has clear authority to establish “requirements” (based upon the Cybersecurity Framework) to sufficiently address current and projected cyber risks to critical infrastructure;
- The authorities identified; and
- Any additional authority required.
Although this process does not require the development of any new regulations, the same agencies are directed by section 10(b) of the EO to propose, within 90 days of publication of the final Framework, “prioritized, risk-based, efficient, and coordinated actions...to mitigate cyber risk” if the agencies determine that current regulatory requirements are insufficient. Pursuant to this directive, regulatory agencies could conceivably engage in rulemakings or other regulatory action based on the Cybersecurity Framework.
The ambiguous language used in section 10 may have been included in the EO to provide flexibility to the White House to direct regulatory mandates, but only if participation in DHS’s voluntary program to adopt the Framework is regarded as insufficient, as indicated by recent statements by White House officials.
Fifth NIST Workshop
The fifth NIST workshop will cover some of the remaining logistical and other outstanding issues surrounding the Framework, including adoption considerations; considerations for small and medium businesses; how to use the Framework; the DHS voluntary program; research and development; and “Framework ecosystem” development.
Venable will be in attendance at the workshop and will be available before and after to answer questions and address client concerns.
The release of the PCF provides owners and operators of critical infrastructure with a better understanding of the likely contents of the final Cybersecurity Framework. As the release date of the final version – currently set for February 12, 2014 – approaches, questions regarding the liability implications associated with adoption or non-adoption of the Framework are more important than ever.
Venable addressed some of these questions in its recent live presentation and webinar, Cyber Sticks and Carrots: How the NIST Cybersecurity Framework, Incentives, and the SAFETY Act Affect You, on September 25, 2013.
We encourage owners and operators to contact us with questions on cyber liability management, including issues relating to insurance, the SAFETY Act, and corporate governance.
Venable will continue to closely follow NIST’s progress on the development of the Cybersecurity Framework, including the upcoming workshop and public comment period on the PCF. Venable’s attorneys are well-positioned to answer any and all questions on the Cybersecurity Framework, having participated in and attended all relevant meetings conducted by NIST since the Executive Order was released in February.
Venable LLP offers a broad array of legal services to a variety of different players within the cybersecurity arena. Our attorneys are adept at understanding complex client issues and tapping into the extensive experience of our many practice areas including privacy and data security, e-commerce, intellectual property, government contracting, telecommunications, energy, and corporate.
If you have any questions concerning this alert, please contact any of the authors.