On October 22, 2013, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework (“Framework”), marking one of the final steps in creating the “voluntary” Framework envisioned in an Obama Administration Executive Order (EO) issued earlier this year. That EO, which was designed to strengthen the cybersecurity of the United States’ critical infrastructure, required NIST to work with the private sector to develop a cybersecurity Framework to reduce the risks from cyber attacks. The Framework is designed to identify beneficial cybersecurity practices and create a common language for discussing those practices. While the Framework does not create new security standards, it uses existing standards to create a comprehensive approach to cybersecurity risk management that may be useful to companies with either nascent or more robust cybersecurity programs. The comment period on the Preliminary Framework closed on December 13, 2013, and the final Framework is expected to be released in February of 2014.
For further information about the Preliminary Framework, please see our client advisory entitled Cyber Alert: NIST Cybersecurity Framework Part I: Understanding Its Structure and Potential Impact, which provides an overview of the development of the Framework and its structure and content, discusses concerns with the Framework’s current approach to privacy and analyzes the extent to which the Framework will indeed remain “voluntary” for critical infrastructure entities. The advisory also discusses the broader implications of the Framework, including creation of a security standard of care and a ripple effect of applicability to non-critical infrastructure entities.