On December 5, 2017, the National Institute of Standards and Technology (NIST) released a revised draft of its proposed updates to its Framework for Improving Critical Infrastructure Cybersecurity. The revised draft includes a new section on communicating with stakeholders about cybersescurity requirements, addresses stakeholder concerns regarding cybersecurity supply chain risk management and measuring cybersecurity risks and benefits, and addresses six new topics, including the Cyber-Attack Lifecycle. NIST has updated both the Framework and its accompanying Roadmap.
The revised Framework includes [...] Read more
The Multi-State Information Sharing and Analysis Center (MS-ISAC) published its 2016 mid-year review on August 22, 2016, highlighting large incidents of malware infections, with particular emphasis on ransomware and click fraud malware. In contrast to the MS-ISAC report, however, an August 2016 report suggests most organizations would benefit from addressing issues of credential management and network segmentation. The report is based on data collected over the course of 100 internal penetration tests (i.e., tests assuming one user on the network has already had their account compromised) on [...] Read more
Last week, the HHS Office for Civil Rights (OCR) released a crosswalk between the requirements of the HIPAA Security Rule and the NIST Cybersecurity Framework. The crosswalk – which was developed in conjunction with the National Institute of Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health IT – maps each administrative, physical and technical safeguard standard and implementation specification of the HIPAA Security Rule to the relevant subcategory in the Cybersecurity Framework.
HHS notes that, because of the granularity of the NIST Cybersecurity [...] Read more
On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices. The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.” The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity [...] Read more
On April 15, 2015, the Payment Card Industry Security Standards Council (PCI-SSC) updated the PCI Data Security Standard (PCI-DSS) from version 3.0 to version 3.1. The new version is effective immediately. PCI DSS Version 3.0 will be retired on June 30, 2015. A summary of the changes, along with the updated standard, can be found on the PCI-SSC website.
PCI DSS 3.1 updates requirements to remove SSL (a cryptographic protocol designed to provide secure communications over a computer network) and early Transport Layer Security (TLS) as examples of strong cryptography. SSL and early TLS cannot [...] Read more
On December 12, 2014, the National Institute for Standards and Technology (“NIST”) announced the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (“SP 800-53A”). SP 800-53A is a companion guideline to Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”) and discusses how to build effective assessment plans and how to analyze and manage assessment results.
NIST’s announcement highlights [...] Read more
FCC Chairman Tom Wheeler made remarks on Thursday, June 12 at the American Enterprise Institute where he explained the FCC’s vision of how it will improve the communications sector’s cyber readiness. He announced a “new regulatory paradigm” where the FCC “relies on industry and the market first while preserving other options if that approach is unsuccessful.” Wheeler recognized that industry-led action on cybersecurity can be “more dynamic than traditional regulation” but at the same time all stakeholders’ efforts must be “real and meaningful” [...] Read more
On April 15, 2014 the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examination (“OCIE”) announced that it would assess the cybersecurity preparedness of the industry as a whole by examining the practices of 50 registered broker-dealers and investment advisers. OCIE will send tailored requests for information to each selected firm; the questions will focus on each entity’s cybersecurity governance, ability to identify and assess cyber risks, protect its networks, detect intrusions, and deal with the risks associated with [...] Read more
The National Institute of Standards and Technology (“NIST”) has released the final version of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). The Framework was developed by NIST at the direction of President Obama’s February 12, 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (the “Executive Order”).
The Framework largely retains the structure and components of the preliminary version of the Framework (a discussion of which can be found here), including (i) the Framework Core, (ii) the Framework [...] Read more
The Global Law Forum will host The Cybersecurity Law & Policy In-House Summit in Washington D.C. on January 14 and 15, 2014. The Summit will showcase panel discussions addressing a myriad of issues relevant to corporate counsel including establishing data breach response plans, understanding the cybersecurity insurance market, achieving Board of Directors and company buy-in on cybersecurity measures, as well as preparing for the upcoming final NIST Cybersecurity Framework and its potential to establish a new standard of care for liability. Special Assistant to President Obama and U.S. Cybersecurity [...] Read more
