How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework

Mark Harrington

Last week, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity, incorporating feedback from its October workshop as well as responses to an August Request for Information. While adoption of the Framework remains voluntary and not a regulatory requirement, many large organizations in a variety of industries consider it to be an effective benchmark for security operations. We at Guidance Software believe it will soon be considered a “commercially reasonable” standard, but we also recommend incorporating additional, proactive security practices for a more complete security posture.

This most recent update to the Framework reports on certain implementation issues, including the need to expand awareness among smaller and medium-sized businesses in the critical infrastructure sector. Some concern exists that the Implementation tier of the Framework’s three main components—Core, Profile, and Implementation Tiers—is being used the least frequently. Instead, the Framework is being most commonly used simply as a basis for evaluating security—as a yardstick, if you will.

Information-Sharing Holds Real Promise for More Effective Organizational Defense

Among the aspects of the NIST Framework that I believe holds the most promise in defending our organizations is that of information-sharing. Many who have responded to NIST’s calls for feedback have expressed interest in expanding this type of collaboration in order to build more powerful threat intelligence feeds across American industries. While interest in participation is high, so are the levels of concern about potential impact on corporate reputation if data breaches were made public. Since the original Framework was published, there has been a clear call for a means of reporting a breach and related information anonymously.

Congress has just passed the National Cybersecurity Protection Act in order to better support cyber-threat information exchange between the public and private sector via the National Cybersecurity and Communications Integration Center. However, a bill that incorporates liability protections for those reporting on breaches will have to wait until early next year.

Alignment Makes Sense for Most Corporations

Helping your organization prepare for alignment with the NIST Framework and participation in intelligence-sharing can put you in a position to benefit from the most recent and deepest threat intelligence available anywhere once the Framework becomes firmly established in American industry. Taking steps to put your security systems and protocols in alignment with the Framework will also help you make a case following a breach that you took reasonable steps to protect sensitive information.

In addition, if 2015 legislation does pass that incorporates the expected liability and privacy protections for those sharing information, the risk of participation is far outweighed by the benefits.

As inside counsel, you can help influence and participate in this organizational initiative by:

  • Calling a meeting with your CIO, Information Security, and other stakeholders to review the NIST Framework
  • Encouraging an assessment of where your organization stands today in meeting the standards in the Framework
  • Asking stakeholders to consider ramping up to participate in information-sharing within a certain timeframe
  • Asking how your legal team can help.
Whether your organization is part of the critical-infrastructure industries or not, being in a position to positively and proactively work with federal protection agencies can only improve your reputation with your market, industry partners, and those agencies themselves—something that can be invaluable following a breach.

Are You Working with NIST or NCCIC? I encourage your comments in the section below. For more information on the NIST Cybersecurity Framework and how to support it, consider these resources, including two webinars featuring Adam Sedgewick, the NIST Senior Policy Advisor who led the development of the Framework.

Mark E. Harrington is General Counsel and Corporate Secretary at Guidance Software and oversees worldwide legal responsibility for the company.

No comments :

Post a Comment