How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework

Mark Harrington

Last week, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity, incorporating feedback from its October workshop as well as responses to an August Request for Information. While adoption of the Framework remains voluntary and not a regulatory requirement, many large organizations in a variety of industries consider it to be an effective benchmark for security operations. We at Guidance Software believe it will soon be considered a “commercially reasonable” standard, but we also recommend incorporating additional, proactive security practices for a more complete security posture.

This most recent update to the Framework reports on certain implementation issues, including the need to expand awareness among smaller and medium-sized businesses in the critical infrastructure sector. Some concern exists that the Implementation tier of the Framework’s three main components—Core, Profile, and Implementation Tiers—is being used the least frequently. Instead, the Framework is being most commonly used simply as a basis for evaluating security—as a yardstick, if you will.

Information-Sharing Holds Real Promise for More Effective Organizational Defense

Among the aspects of the NIST Framework that I believe holds the most promise in defending our organizations is that of information-sharing. Many who have responded to NIST’s calls for feedback have expressed interest in expanding this type of collaboration in order to build more powerful threat intelligence feeds across American industries. While interest in participation is high, so are the levels of concern about potential impact on corporate reputation if data breaches were made public. Since the original Framework was published, there has been a clear call for a means of reporting a breach and related information anonymously.

Congress has just passed the National Cybersecurity Protection Act in order to better support cyber-threat information exchange between the public and private sector via the National Cybersecurity and Communications Integration Center. However, a bill that incorporates liability protections for those reporting on breaches will have to wait until early next year.

Billington Cybersecurity Summit: Situational Awareness and Cyber Resiliency

Victor Limongelli

I was pleased to have the opportunity to participate on a panel at the 5^th Annual Billington Cybersecurity Summit, a very well attended event in Washington, DC yesterday. At the Summit’s opening keynote, Admiral Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, made a strong call for the adoption within cybersecurity of the military concept of “situational awareness,” both in government agencies and in corporate America. This, he said, can be achieved through understanding normal behavior across a network and on endpoints and having a way to quickly visualize anomalies. 

The NSA Challenge: Protecting a Nation, its Citizens, and their Rights

Jason Fredrickson

The revelations late last year on the extent to which the National Security Agency (NSA) has encroached upon both corporate and citizens’ information have rapidly had an impact on everything from lost (and massive) technology deals with foreign customers to common information security (InfoSec) practices in the enterprise. This morning, President Obama addressed the media and the nation in a speech about the NSA program that gathers the private phone records of billions of Americans. Saying that he had not seen any indication of abuses of the program, he admitted that he recognized the potential for abuse and is requesting reforms to address these concerns.

The president announced the call for a “new approach” to phone-records collection, saying also that he is “ordering a transition that will end the…bulk metadata program as it currently exists” and establish a new mechanism that equips the NSA with the intelligence capabilities they need without the requirement to store what  might be called “big metadata.” “This will not be simple,” President Obama noted, and said that a decision will need to be made on which entity will store the data and under which conditions the database can be queried. These are meaningful promises about important first steps that should be taken.