By Roberta Anderson and Jenny Paul
In an effort to create workable guidelines and practices to help organizations manage cyber risks, the National Institute of Standards and Technology last week released a Framework for Improving Critical Infrastructure Cybersecurity.
The Framework was developed in accordance with a February 2013 executive order that tasked NIST with developing a cost-effective Framework “to reduce cyber risks to critical infrastructure.” In conjunction with the release of the Framework, NIST also released a Roadmap for Improving Critical Infrastructure Cybersecurity, which discusses further steps NIST will take with the Framework and identifies key areas of development; alignment of cybersecurity standards and practices within the U.S. and globally; and collaboration with private and public sector organizations and standards-developing organizations.
The Framework guidelines are designed to encourage “critical infrastructure organizations,” such as those that operate in the energy, finance, telecommunications, defense, and utilities sectors, to assess their current cybersecurity risk profiles and risk management practices, to identify gaps that should be addressed in order to progress toward a target goal of cybersecurity risk management, and to communicate efficiently, within and outside of the organizations, about cybersecurity and risk management.
For now, the Framework is voluntary, and according to NIST, is intended to complement and not replace an organization’s risk management process and cybersecurity program. That said, the Department of Homeland Security has been tasked with developing a program to support the adoption of the Framework by critical infrastructure entities. This might involve the development of potential government incentives that would be designed to spur adoption of the Framework, including for example, cyber insurance options, such as streamlined underwriting or reduced premiums.
An in-depth look at the Framework can be found in this K&L Gates Client Alert.