NIST Introduces Proposed Updates to Cybersecurity Framework
Companies Have Until April 10, 2017 to Comment
Recently, the National Institute of Standards and Technology (“NIST”) released a proposed update (“Proposed Update”) to its Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”). This Proposed Update, if implemented, would update the February 2014 version of the Cybersecurity Framework.
For background, the Cybersecurity Framework was created through the collaborative efforts of both industry and government, and it consists of standards, guidelines and practices for private sector organizations to promote the protection of critical infrastructure, systems and networks. Although complying with the Cybersecurity Framework is voluntary, the Cybersecurity Framework provides a cyberrisk management guide that organizations can tailor to their own specific needs. The Proposed Update would not change the core functions of the Cybersecurity Framework, which include the following:
- Identify – develop the organizational understanding to manage cybersecurity risk to systems’ assets, data and capabilities;
- Protect – develop and implement the appropriate safeguards to insure delivery of critical infrastructure services;
- Detect – develop and implement the appropriate activities to identify the occurrence of a cybersecurity event;
- Respond – develop and implement the appropriate activities to take action regarding a detected cybersecurity event; and
- Recover – develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Four Key Features of the Proposed Update
1. Supply Chain Risk Management
The Proposed Update includes a section on supply chain risk management. This new section puts emphasis on the review of third parties, including vendors, suppliers and information technology providers, and the cybersecurity risks that may exist in the supply chain involving these third parties. Specifically, Section 3.3 of the Proposed Update requests that organizations (i) determine the cybersecurity requirements of third parties who can access the organization’s critical infrastructure; (ii) enact appropriate cybersecurity requirements and governance with third parties via contractual arrangements; (iii) communicate with third parties as to how the organization will verify that the third parties are following their cybersecurity requirements; and (iv) verify that the cybersecurity requirements are satisfied by third parties through assessment methodologies. For example, an organization that purchases information technology equipment or services from a third party may request a Cybersecurity Framework profile, providing the purchasing organization the ability to assess the third party supplier’s cybersecurity risk management procedures.
2. Information Sharing Practices
The Proposed Update also adds guidance related to information sharing practices. Through information sharing, organizations can compare their cybersecurity risk management procedures to other organizations also utilizing the guidance set forth in the Cybersecurity Framework.
3. Access Control
The updated Identity Control and Access Control section encourages organizations to implement comprehensive authentication and identity proofing processes based on, in part, updated definitions of “authentication” and “authorization,” and the introduction of the idea of “identity proofing.”
4. Cybersecurity Measurement
Through the use of “measures” set forth in the Proposed Update, an organization can measure and demonstrate the effectiveness of its cybersecurity risk management procedures.
April 10, 2017 is the Cutoff for Public Comment on the Proposed Update
Businesses have until April 10, 2017 to submit comments to NIST before the Proposed Update goes into effect.
Because we know that many organizations look to NIST for cybersecurity guidance, Phillips Lytle’s Data Security & Privacy Practice Team will continue to monitor the Proposed Update. Please contact Jennifer A. Beckage, F. Kenneth Graham or any member of the firm’s Data Security & Privacy Practice Team if you have any questions about the Proposed Update, or how NIST or other guidance may apply to your business. We can also assist in policy drafting, from defensible record retention and destruction methods to crisis planning; data breach response, mitigation and notification; and evaluating an organization’s transfer, storage and use of data.