Date: Feb 06, 2017
Law360, New York (February 6, 2017, 1:20 PM EST) --
From ransomware attacks to data breaches at major retailers, health care facilities and other major players in the U.S. and international economy, cyberattacks continue to present serious threats to businesses across the supply chain. The growth of these attacks, and the dramatic increase in the number of connected products and networks, pose even larger threats to consumers, businesses and the infrastructure itself. With an increased focus by regulators on business measures to address cyber risks and prevent data breaches, and the growth of class action lawsuits, managing cybersecurity risks is now a key issue for C-suite executives. The National Institute of Standards and Technology (NIST) continues to offer important guidance for businesses interested in hardening their security measures.
The NIST Cybersecurity Framework
The voluntary NIST cybersecurity framework had its roots in former President Barack Obama’s Feb. 12, 2013 executive order, which called for the development of a risk-based, voluntary set of industry standards and best practices related to cybersecurity. The framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies.
NIST first issued the framework for critical infrastructure in 2014. Since then, the framework has become a key reference point for businesses in managing cybersecurity risks which increasingly touch businesses at all levels. Equally important, the framework is considered by some regulatory authorities to reflect a standard of conduct in responding to cyber threats and risks. This is a good time to review the framework, since NIST released a draft update on Jan. 10, 2017, seeking comments on the revisions. The update provides guidance on previously unclear key terms, a new section on managing supply chain risks, clearer explanation of its tier system, and the introduction of cybersecurity metrics.
Why is the framework useful to businesses? It focuses on using business drivers to guide cybersecurity activities and advises businesses to consider cybersecurity risks as part of the organization’s risk management processes. NIST’s update, Version 1.1 of the "Framework for Improving Critical Infrastructure Cybersecurity," incorporates feedback and suggestions received since 2014, including input from a December 2015 request for information and comments from attendees of am April 2016 workshop.
Application of the NIST Principles
Of course, applicability of specific cybersecurity measures depends on a company’s size, sophistication and use of technology. Regardless of size, the NIST framework can be seen as setting a reference standard of care for managing and responding to cybersecurity risks. Business sectors and companies may want to consider the framework’s systematic approach in developing their own procedures.
The five core concurrent and continuous functions specified in the original framework are:
· Identifying risks and key information assets;
· Protecting the key information identified;
· Detecting breaches;
· Responding to those breaches; and
· Recovering from those breaches.
These basic principles appear in all data security guidance documents. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.
How the NIST Framework Update Affects the Cybersecurity Landscape
Organizations need to set priorities for both resources and time. The proposed revisions to the NIST framework include a more detailed set of implementation tiers, which are designed to help businesses assess security priorities according to criticality.
Supply Chain Management
In previous comment periods, businesses asked for guidance on cyber supply chain risks, including how to better communicate cybersecurity requirements to stakeholders. The update adds a new section on supply chain risk management which standardizes terms and encourages organizations to develop a systemic approach to managing cyber supply chain risk:
... using real-time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization … via enterprise risk management policies, processes and procedures. Section 2.2, “Framework Implementation Tiers,”443-450