On February 26, 2013, the National Institute of Standards and
Technology (NIST) issued a Request for Information (RFI) entitled,
"Developing a Framework to Improve Critical Infrastructure
Cybersecurity." The RFI requests "information to help
identify, refine, and guide the many interrelated considerations,
challenges, and efforts needed to develop" a Cybersecurity
Framework as mandated by
Cybersecurity Executive Order 13636 issued by the Obama
Administration on February 12, 2013.
The White House and NIST have repeatedly emphasized that the
Cybersecurity Framework, which will serve as the cornerstone of a
voluntary cybersecurity program for critical infrastructure owners
and operators, will be developed through an "open public
review and comment process" that will give stakeholders
numerous opportunities to provide input on the standards,
methodologies, procedures and processes that will make up the
Framework. The RFI represents the first opportunity for public
comment. Responses to the RFI must be submitted by 5:00 p.m. on
April 8, 2013.
The RFI states that the Framework development process will seek to
identify existing "cross-sector" cybersecurity standards
and guidelines that are currently or could be applied to critical
infrastructure as well as any "potential gaps (i.e., where
standards/guidelines are nonexistent or where existing
standards/guidelines are inadequate) that need to be addressed
through collaboration with industry and industry-led standards
bodies." Further, any gaps identified will be addressed
through collaboratively-developed action plans.
Although NIST admits that a one-size-fits-all Framework is not
possible in light of the diversity of industries and businesses
that own and operate critical infrastructure, the RFI states that
"there are core cybersecurity practices that can be identified
and that will be applicable to a diversity of sectors and a
spectrum of quickly evolving threats." Ultimately, the
Framework is intended to include, among other mechanisms,
consultative processes to assess cybersecurity-related risks and to
identify security controls that would adequately address those
risks, as well as "metrics, methods, and procedures that can
be used to assess and monitor, on an ongoing or continuous basis,
the effectiveness of security controls that are selected and
deployed that can be used to facilitate continuous improvement in
such controls."
In light of these goals, the RFI seeks input from organizations on
the following topics, each of which contains several questions:
1. current risk management practices;
2. use of frameworks, standards, guidelines, and best practices; and
3. specific industry practices.
Regarding the third category, NIST requests comment on a list of
potential "core" practices, including separation of
business from operational systems; use of encryption and key
management; identification and authorization of users accessing
systems; asset identification and management; monitoring and
incident detection tools and capabilities; mission/system
resiliency practices; security engineering practices; and privacy
and civil liberties protection.
For more information, see
Cybersecurity regulation: 5 issues for companies.
Venable attorneys will be working with critical infrastructure
owners and operators (including companies in the energy,
telecommunications, and banking sectors to name a few) to prepare
comments responding to these questions, and are actively monitoring
related public meetings, including the Senate Commerce and Homeland
Security Committees' joint hearing on the implementation of the
Cybersecurity Executive Order scheduled for March 7, 2013.
For more information on how to get involved in these efforts,
Venable LLP is hosting a live event/webinar, "
Cybersecurity Executive Order – A Briefing," on
Monday, March 11, 2013 from 12:00 p.m. to 2:00 p.m.
EDT. Speakers will include numerous Venable partners with
extensive experience in cybersecurity regulation and related
fields. To RSVP, please
click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.