NIST Cybersecurity Framework v1.0: Is Your Company “Tier 1—Partial?”
Companies are scrambling to digest Version 1.0 of the “Framework for Improving Critical Infrastructure Cybersecurity,” released by the National Institute of Standards and Technology (“NIST”) on February 12. The Framework was released one year to the day after President Obama’s Executive Order calling for the development of a voluntary, risk-based set of industry standards and best practices to help organizations manage cybersecurity risks. The three main components of the Framework are:
- The Core— a comprehensive set of risk-based standards and best practices that all organizations can use to achieve desired cybersecurity outcomes;
- Tiers—numbered from 1-4, ascending, representing how an organization views cybersecurity risk and the status of its response to that risk. The Framework states that, while only the lowest Tier, “Tier 1-Partial,” should be considered undesirable, “progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective;” and
- Profile—a mechanism that organizations or their components can use to identify and achieve desired cybersecurity outcomes.
The Framework raises several key questions for companies of all sizes:
1. Are you part of the critical infrastructure?
The 2013 Critical Infrastructure Presidential Policy Directive identified 16 critical infrastructure sectors and defined “sector-specific agencies” charged with risk management in each sector. Unfortunately for companies operating within those sectors or transacting business with such companies, the Framework does not provide additional guidance as to whether and to what extent they fall within its scope.
2. Does your company have to follow the Framework?
The Framework contains a set of baseline procedural and technical standards applicable across contexts, called the “Core.” Policymakers and plaintiffs’ attorneys may treat the Core as the de facto rules of the road—despite the fact that the Core describes the standards it incorporates as “non-exhaustive.” However, the Framework envisions its implementation as highly context-dependent, recognizing that critical infrastructure organizations, even within the same sector, may have different incentives and risk tolerance—and therefore gives organizations flexibility to set their own goals. This could thwart policymakers and litigants seeking to use the Framework as a blunt object with which to bludgeon critical infrastructure organizations.
3. What is the impact of being found to be “Tier 1—Partial” ?
The government will likely adopt procurement rules with flowdown provisions requiring certain contractors and their subcontractors/service providers to comply with the Framework. Companies designated “Tier 1—Partial” can expect that the contracting rules will require them to progress to a higher tier. Outside the contracting environment, the Framework does not explain how the government plans to incentivize “Tier 1—Partial” companies to progress.
4. What if your company has strong security but has not conducted a privacy and civil liberties review?
The Framework recognizes that organizations’ cybersecurity activities may have privacy implications. As such, the Framework recommends that organizations “consider how, in circumstances where such measures are appropriate, their cybersecurity program might incorporate privacy principles such as: data minimization in the collection, disclosure, and retention of personal information material related to the cybersecurity incident; use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities; transparency for certain cybersecurity activities; individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities; data quality, integrity, and security; and accountability and auditing.” This highlights the need for legal compliance, which—particularly for multinational companies with monitoring tools deployed globally—may be more difficult than companies think.