March 22, 2017

NIST in the Private Sector

3 min

The National Institute of Standards and Technology (NIST), a non-regulatory agency within the Department of Commerce, is responsible for developing technology, metrics, and standards for federal agencies. Although relatively small and unknown by the public, it is a leader in the data protection, cybersecurity, and privacy fields. In recent years, its reach and influence in such fields have begun to extend to the private sector. Although relatively unknown by the general public, NIST has been providing valuable input to the data protection, cybersecurity, and privacy fields for many years. Recently, its reach and influence has grown along with cybersecurity concerns in all sectors.

Among other duties, NIST promulgates standards and guidelines to ensure government information is secure. These standards are constantly evolving and being updated. For example, in 2013, President Obama issued Executive Order 13636, which instructed NIST to develop a means by wish the cybersecurity of critical infrastructure could be measured and improved. "Critical infrastructure" includes industries vital to the country's economy, security, and health, including, but not limited to, the finance, energy, and healthcare industries. Through its work, NIST provides guidance that aids organizations in determining what measures can be put in place to prevent major security attacks. Because of the scope of the Order, and the importance of the underlying goal, the requisite NIST standards, referred to as the Cybersecurity Framework, are comprehensive. Moreover, in order to make the first draft of the Cybersecurity Framework as effective as possible, NIST sought advice not only from government actors, but also from the private sector. Since 2013, NIST has held several Cybersecurity Framework workshops with thousands of participants, ranging from members of industry associations and private companies to employees at government agencies. A first version of the Cybersecurity Framework was released in 2014, but NIST frequently updates its standards and guidelines. On January 10, 2017, NIST released a new draft version 1.1 of its Cybersecurity Framework (CSF). Details of the changes can be found in the following Venable Cybersecurity Alert.

While NIST's cybersecurity and privacy guidelines, including the updated Cybersecurity Framework, were created for use by federal agencies, its influence and standards are widely seen in the private sector and in many private sector commercial agreements. A recent Gartner study reported that NIST's Cybersecurity Framework is already used by 30% of U.S organizations. This number is expected to rise to 50% by 2020. According to a March 2016 survey by Dimensional Research, 70% of these organizations adopted the framework to align themselves with cybersecurity best practices, 29% were required to do so by business partners, and 28% adopted the framework because of federal contract requirements.

The NIST framework is voluntary, but following it can be beneficial for both vendors and clients. First, the framework is flexible and can be adjusted based upon the needs of the organization. Therefore, the framework does not require compliance with a certain higher level of standards for small organizations or at a lower level for large organizations. As a result, using the NIST framework to implement a risk-based approach to security blends well with the reasonableness requirements of many commercial agreements. If a data incident occurs, and the vendor has been using the NIST framework appropriately, potential damages may be lessened. The NIST framework also represents a comprehensive approach to data security, and provides tangible considerations with respect to protecting data. Therefore, it is easy to reference this framework as a way for companies to develop minimum requirements in commercial contracts. The customer receives adequate protection, while a flexible approach to security is available to the vendor.

The NIST Cybersecurity Framework is impacting not only federal agencies, but also private industries. With guidance from counsel, private companies can include or reference NIST standards in commercial contracts as a means to address information security.

Allison Laubach, a first year associate, assisted with preparation of this article.