On February 12, 2014, the National Institute for Standards and Technology (NIST) published its final Cybersecurity Framework document. NIST developed this Cybersecurity Framework in response to Executive Order No. 13636 for Improving Critical Infrastructure Cybersecurity. As previously reported in blog posts on February 15 and February 21 last year, President Obama issued this executive order to foster greater cooperation between owners and operators of critical infrastructure and federal agencies and to establish a voluntary program for protecting the cybersecurity of the nation’s critical assets.
As we reported in a blog post last October, NIST issued a preliminary Cybersecurity Framework document and solicited comments. NIST collected these comments on its website. The commenters in the energy sector largely sought recognition of the many cybersecurity protections that the energy sector has already established (such as NERC’s critical infrastructure protection (CIP) standards or the DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (C2M2)), and asked for the Cybersecurity Framework to be implemented on a coordinated basis across individual sectors.
In the final Cybersecurity Framework, NIST addressed the comments with modest changes to underscore how flexible the Cybersecurity Framework could be applied. As NIST notes, the Framework “can be used to manage cybersecurity risk across entire organizations or it can be focused on the delivery of critical services within an organization. Different types of entities — including sector coordinating structures, associations, and organizations — can use the Framework for different purposes, including the creation of common Profiles.” Elsewhere, NIST notes that “The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure,” and that individual organizations will need to bring to employ their own individual risk management policies and risk tolerances, legal and regulatory requirements, and business missions in employing the Framework. In the end, because of the open-architecture nature of the Cybersecurity Framework, the Framework establishes more of a process for describing existing and potential cybersecurity practices rather than spelling out what cybersecurity protections should be adopted by entities in critical sector industries.
Because of the flexibility built into the Cybersecurity Framework, it is difficult to tell how much traction the Framework will have in the energy sector. Since the electricity subsector has done a lot of work across the subsector on cybersecurity under NERC’s mandatory CIP standards, individual utilities may face compliance risks utilizing the Framework to develop protections beyond those required by the NERC standards. The entire electricity subsector (or energy sector as a whole) may need to come together to develop a common approach to implementing the Framework.
Even with coordinated efforts at the subsector or sector level, implementation of the Framework is complicated by the potential divergence between NERC’s CIP standards and the Framework. NERC defines assets subject to the CIP standards by reference to their impact on electric reliability, while the NIST framework defines critical infrastructure by reference to issues of national importance — economy and national security issues. The CIP standards are mandatory and prescriptive, while the Framework is voluntary and open ended. Moreover, the NIST framework relies on more than 400 “informative references” of which 11 are the NERC CIP standards. Understanding how to apply all of those informative references in the energy sector will require substantial effort.
Another factor that will affect voluntary adoption of the NIST Cybersecurity Framework will be the incentives that the Administration and the sector agencies will adopt to encourage private participation. Executive Order 13636 directed the Secretaries of the Department of Homeland Security (DHS), Treasury and Commerce to work together to establish a set of incentives. As we reported last August, the White House and DHS floated suggestions for possible incentives, including, inter alia, technical assistance, cybersecurity insurance, grants, streamlined regulation, cost recovery, and liability limitations. However, to date, the White House has not formally announced any final set of incentives.
Lastly, while posting the Cybersecurity Framework as a final product in conformance with the directive in Executive Order 13636, NIST made clear that more work needed to be done. NIST labeled the Framework as “version 1.0,” and as a companion to the Framework, NIST also released a “Roadmap for Improving Critical Infrastructure Cybersecurity.” In this Roadmap document, NIST makes clear its commitment to help organizations understand and use the Framework and to serve as a “convener and coordinator” of future improvements to the Framework, “at least through version 2.0.” NIST, however, made clear that it would like to transition the responsibility for the Framework to a non-governmental organization, and it outlined several substantive areas for improvement as required by Executive Order 13636, including authentication tools, automated indicator sharing, conformity assessment, cybersecurity workforce, data analytics, federal agency alignment, international impacts, supply chain risk management, and technical privacy standards.