The White House recently announced the official launch of the Cybersecurity Framework, which provides
voluntary guidelines for both public and private organizations
operating as part of the "critical infrastructure" to
create or improve upon their defenses and response protocols for
cyber-attacks. The framework was drafted as a result of the
President's February 12, 2013 Executive Order 13636 called for the
development of a "prioritized, flexible, repeatable,
performance-based, and cost-effective approach" for assisting
organizations responsible for "critical infrastructure
services" to manage cybersecurity risk. In October, the U.S.
Department of Commerce's National Institute of Standards and
Technology released a Preliminary Framework. The release of the
Preliminary Framework was followed by a 45-day public comment
period.
The official Cybersecurity Framework is largely unchanged from the
preliminary draft, which Drinker Biddle partner Kenneth K. Dort
thoroughly detailed in a
previous client alert. The Cybersecurity Framework is organized
around three components: the Framework Core, the Framework
Implementation Tiers, and the Framework Profiles.
- The Framework Core suggests that organizations categorize and assess all activities related to cybersecurity into five basic functions: identification, protection, detection, response, and recovery.
- The section on Framework Implementation Tiers describes four levels of rigor in an organization's cybersecurity practices: Partial, Risk Informed, Repeatable and Adaptive. The Tiers provide criteria for an organization to both assess its current preparedness to deal with cyber risks and determine its goal level of preparedness. Organizations determine their current and goal Tiers by examining criteria such as regulatory requirements, business objectives, feasibility, actual threat, and considerations of privacy and civil liberties.
- An organization's Framework Profile is essentially a description of the organization's cybersecurity activities that addresses the five functions of the Framework Core in light of the organization's unique circumstances. The Framework Profile suggests that an organization determines both a current and target Profile to identify gaps.
For organizations seeking to use the Framework's principles
to establish or improve a cybersecurity program, the Framework
recommends seven steps, described as: Prioritize and Scope, Orient,
Create a Current Profile, Conduct a Risk Assessment, Create a
Target Profile, Determine Analyze and Prioritize Gaps, and
Implement Action Plan.
While the framework is entirely voluntary, we strongly recommend
that all of our clients—whether a part of critical
infrastructure or not—perform cyber risk assessments and
analysis to implement appropriate cybersecurity programs for their
organizations and prepare for data-privacy incidents and
cyber-attacks. Given the ever-increasing number of these incidents
and attacks, and given that the Cybersecurity Framework provides a
convenient benchmark for both litigants and regulators to use in
challenging the sufficiency of an organization's preparedness
and response, it is more important than ever for organizations to
re-evaluate their existing programs. We encourage organizations to
use the official release of the framework as an occasion to do just
that. Drinker Biddle can provide guidance and advice on the
framework and all aspects of data privacy and cybersecurity.
A public-private partnership created by the Department of Homeland
Security, the Critical Infrastructure Cyber Community
(C3)
Program, is available to support organizations in implementing
the cybersecurity framework. The C3 Program has a useful
list of resources for businesses to use in the
process.
While the Cybersecurity Framework is now official, the framework
openly contemplates revisions. The framework describes itself as a
"living document" and is prominently labeled
"Version 1.0." Drinker Biddle will continue to monitor
the progression of the Framework and follow up when revisions
occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.