The release of the new cybersecurity framework by the National Institute of Standards and Technology (NIST) on Oct. 29, 2013, will likely increase the risk of liability facing corporate fiduciaries. Given the impact it will have on businesses, President Barack Obama, in the executive order “Improving Critical Infrastructure Cybersecurity,” directed NIST to work with the public to develop the framework. And it is still a work in progress. The 45-day public comment period on the preliminary framework is open until 5 p.m. EST on Friday, Dec. 13.
Although targeted toward critical infrastructure companies, once enacted, the framework will consist of “voluntary” standards, guidelines and best practices. However, the standards will likely become the measuring stick against which the actions—or inaction—of all corporate leaders will be judged. As a result, diligent corporate officers, regardless of industry, should understand the contours of the framework, take advantage of the opportunity to influence the framework and ensure that their companies are compliant with the NIST recommendations to reduce cyberrisks.
What is the NIST cybersecurity framework?
The NIST cybersecurity framework is an outgrowth of the executive order issued by President Obama in February. The order called for the development of a cybersecurity framework for managing cyber risks within critical infrastructure sectors. According to the NIST, the framework is intended to be “prioritized, flexible, repeatable, performance-based, and cost-effective.” The NIST is developing the cybersecurity standards in coordination with industry members to serve as “best practices” for companies in sectors such as power, telecommunications, transportation, financial services and energy. In an effort to build support and cooperation, the standards do not mandate specific security controls. Rather, they are intended to provide specific guidance for detecting and responding to attacks, mitigating fallout from cyberincidents and managing overall cyberrisks.
While subject to change, the framework provides a common language and mechanism for organizations to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify/prioritize opportunities for improved risk management
- Assess progress toward the target state
- Foster communication among internal and external stakeholders
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]