[Editor’s Note: The following update is authored by Arnold & Porter LLP]
The National Institute of Standards and Technology (NIST) is not a household name, particularly outside the I-495 Beltway surrounding Washington, D.C., but companies across the country may soon be impacted by NIST’s growing role in cybersecurity. President Obama has charged NIST, an agency in the Department of Commerce, with developing a new Cybersecurity Framework for private sector owners and operators of critical infrastructure and new Senate legislation would cement NIST’s cybersecurity role. On August 6, 2013, the White House released a list of potential incentives the government may offer to encourage companies to adopt NIST’s Cybersecurity Framework, including liability protections, cybersecurity insurance, and cybersecurity conditions in government grants.
NIST’s Cybersecurity Framework is part of a larger federal government initiative to increase private sector cybersecurity. Many of the government’s efforts to date, such as the Department of Defense’s Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) program, have focused on information sharing with defense contractors and reducing cybersecurity risk in the supply chain. NIST’s Cybersecurity Framework would apply beyond defense contractors to the full spectrum of private sector owners and operators of critical infrastructure in order to increase the adoption of industry cybersecurity best practices and companies’ investments in protecting their information systems.
The standards and best practices that make up the NIST Cybersecurity Framework will impact a broad range of companies in the telecommunications, energy, finance, and transportation industries. This Advisory provides an overview of recent cybersecurity- related legislative and regulatory developments and opportunities for interested companies to participate in the policy process.
NIST’s Growing Role in Cybersecurity
On July 10th through 12th, 2013, NIST held the third in a series of Cybersecurity Framework workshops that started in April. These workshops are part of NIST’s effort to develop the Cybersecurity Framework required under Executive Order 13636 (EO 13636), which President Obama signed on February 19, 2013. Each workshop has been attended by hundreds of participants from private industry who are working with NIST to develop a set of standards, guidelines, and procedures to reduce cyber risk to critical infrastructure.
While the NIST framework would be voluntary, the White House has put forth a suggested list of incentives for companies to adopt the standards, as discussed below. Many in the private sector have expressed concerns that once finalized, the Cybersecurity Framework will effectively become mandatory because critical infrastructure companies would be expected to meet the standards.
At NIST’s July workshop in San Diego, the participants refined the draft Preliminary Framework Outline and Core that NIST released on July 1, 2013. The outline and core documents NIST released in early July were largely a shell, so part of the goal of the workshop was to generate content by engaging with industry and other stakeholders.
Based on the input generated at the San Diego workshop, NIST plans to post a preliminary draft of the full Cybersecurity Framework in August 2013. Interested companies will have an opportunity to provide feedback on the forthcoming draft framework at NIST’s fourth and final workshop, which will be held at the University of Texas at Dallas on September 11th through 13th. NIST plans to publish the framework in the Federal Register for public comment on October 10, 2013, which will give industry another opportunity to provide input on the standards and best practices before they are finalized. EO 13636 requires NIST to finalize the framework by February 19, 2014.
NIST will continue to play a key role in cybersecurity even after the framework is finalized. In addition to updating the standards and guidelines that make up the framework, NIST announced this spring that it also plans to establish a Federally Funded Research and Development Center (FFRDC) focused on cybersecurity. FFRDCs, such as the National Aeronautics and Space Administration’s Jet Propulsion Laboratory at the California Institute of Technology, enable government agencies to engage with the private sector to address special long-term research and development needs. NIST’s new FFRDC would facilitate public-private collaboration to accelerate the adoption of integrated cybersecurity tools and technologies. The proposed FFRDC will have three primary purposes: (1) research, development, engineering, and technical support; (2) program and project management, including expert advice and guidance focused on increasing the effectiveness and efficiency of cybersecurity applications, prototyping, demonstrations, and technical activities; and (3) facilities management.
Click here to read the entire update.