A cybersecurity framework for critical infrastructure owners is voluntary but becomes the de facto standard for litigators and regulators. Here’s prepare.

Any company this is managing critical infrastructure within the US and disregards the Preliminary Cybersecurity Framework, issued by the National Institute of Standards and Technology (NIST) in late October, does so at its own peril. The framework, that’s now in its final comment stage and thanks to be released in mid-February, lays out a fixed of comprehensive but voluntary cybersecurity practices.

However, critical infrastructure owners should recognize that, if a company’s cybersecurity practices are ever questioned during a regulatory investigation and litigation, the baseline for what’s considered commercially reasonable is probably going to become the NIST Cybersecurity Framework.

The Department of Homeland Security defines critical infrastructure companies broadly to incorporate banking and finance, communications, critical manufacturing, the defense industrial base, energy, emergency services, food and agriculture, healthcare, information technology, utilities, and transportation systems. These companies have to be prepared to document and demonstrate that their cybersecurity practices are in step with the practices promoted in the course of the NIST framework.

The framework was issued on the direction of the White House in February under Executive Order 13636. The order tasked the NIST to develop a “set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to deal with cyber risks.”

[ Want more background at the NIST Cybersecurity Framework? Read NIST Releases Preliminary Cybersecurity Framework. ]

The NIST has conducted four cybersecurity workshops, and it consulted with greater than 3,000 individuals and organizations on best-practices for securing IT infrastructure before releasing the framework. That level of consultation in creating the framework — and the broad industry input — support the notion that the framework shall be recognized as an industry standard.

There aren’t any surprises inside the framework, because it represents a summary of best-practices. It provides companies with standardized criteria for analyzing and mitigating risks. Those risks are organized around five core activities that a company’s management and IT security teams routinely must perform when facing security risks: identify, protect, detect, respond, and recover. For every of those activities, the framework sets out countless methods, practices, and methods it recommends for effectively minimizing cyberrisk.

The NIST framework also establishes four implementation tiers, which describe how extensively an organization might manage its cybersecurity risks. The upper the tier, the more advanced a company’s risk management procedures become.

Critical infrastructure companies defending their cybersecurity practices in litigation or regulatory investigations must be prepared to point out that the practices adhere to Tier 4, considered “adaptive,” meaning a corporation is often evaluating the threats it faces, testing its procedures, and modifying these procedures where appropriate to handle new threats.

The framework also highlights why it will be important for senior management to determine and supervise a cybersecurity program. The framework places senior management on the top of the call-making process and holds senior managers answerable for compliance with the framework. Although senior managers with out a technical background is likely to be tempted to defer responsibility to their IT departments, complying with the framework requires them to be educated in regards to the choices their company faces and to take responsibility for allocating appropriate resources to deal with risks.

Ultimately, the NIST framework seeks to ascertain a standard vocabulary for corporations to debate and evaluate one another’s cybersecurity practices. If the framework is used as an industry standard in a legal proceeding, it won’t be enough for a corporation to have engaged in practices just like those described within the framework. It have to be capable of document its compliance with the framework within the language of the framework.

There are additional benefits companies will need to consider. The Obama administration is thinking about certain incentives to advertise the framework and spur its adoption. Those incentives might include cybersecurity insurance, rate recovery, process preference, and grants for adopters.

In preparation for potential recognition of the framework as an industry standard for critical infrastructure companies, these companies should consider doing right here.

1. Revise security policy documents to adopt and reflect the language and vocabulary of the framework.
2. Establish regular procedures for identifying new threats, testing security procedures, and updating procedures to deal with those threats, thereby establishing an adaptive cybersecurity program.
3. Ensure that senior management is active in establishing a cybersecurity strategy for the corporate and reviewing the implementation of that strategy.

Foolproof cybersecurity protection doesn’t exist. But by taking these steps, a critical infrastructure company could be well positioned to defend its practices as meeting industry standards when things get it wrong.

Gerald Ferguson serves because the coordinator for the Intellectual Property, Technology, and Media Group in BakerHostetler’s Ny office and because the mational co-leader of its Privacy and knowledge Protection Team.

0pen testing helps companies become safer by finding and analyzing their insecurities, but pen test services may be fraught with their very own form of risk. During this Dark Reading report, Choosing, Managing, And Evaluating A Penetration Testing Service, we advise what to see for in a provider and its wares, the way to get what you pay for, and the way with the intention that pen testing itself doesn’t open the corporate or its employees as much as new risk (free registration required).

More Insights