Privacy & Information Security Law Blog

On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order. The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

The December 5 update reviews a number of issues related to Framework implementation. Most notably, the update reports that there is general awareness of the Framework among critical infrastructure sectors, though that awareness could be improved among smaller and medium-sized businesses. Stakeholders also indicated that the Framework, particularly the common practices outlined in the Framework’s Core, is providing a means to communicate expectations within and among companies and other entities in a sector. NIST found that although some stakeholders are using the Framework as a benchmark for operations, others are explicitly avoiding using the Framework in as a benchmark for operations. In that regard, NIST reports that among the Framework’s three components – the Core, Profile and Implementation Tiers – the Implementation Tiers “appear to be the least-used part of the Framework.” In other words, although the Framework is being adopted as a common means to examine cybersecurity systems, stakeholders are less likely to use the Framework to judge implementation of that system. Many stakeholders requested guidance on “real world” use of the Implementation Tiers. Others, though, continue to express reservation that the Framework could be used as a regulatory device.

NIST states that it is still too early to update the Framework as more time is needed to understand the current version. NIST indicates, however, that it will focus on providing guidance in the coming months on using the implementation tiers. In addition, NIST noted calls from stakeholders for regulatory agencies to promote the use of the Framework “by clear statements about the voluntary nature of the document.” While NIST currently does not have any formal opportunities to comment on the Framework, it is accepting feedback via at cyberframework@nist.gov.