From Skadden's recent Client Alert – see link below – On October 22, the National Institute of Standards and Technology (NIST) issued its PreliminaryCybersecurity Framework (the Preliminary Framework).1 The Preliminary Framework representsthe first full draft of the Cybersecurity Framework (the Framework) that President Obama orderedNIST to develop in his February 12, 2013, executive order addressing the regulation of criticalinfrastructure network security.2
As its name suggests, this document provides a framework that companies can use to guide theirevaluation of their cybersecurity practices, to develop a plan to reduce their risks and to respondto security breaches. While the Preliminary Framework does not propose new cybersecuritystandards, the executive order mandates that agencies use the Framework (once it is finalized)as the basis for reviewing critical infrastructure cybersecurity within regulated sectors. The
executive order also asks those agencies to consider whether they have the legislative authorityto enact any regulations that might be required. As a result, companies in regulated criticalinfrastructure industries should understand the basic contours of the Preliminary Framework.
Preliminary Framework Basics
The Preliminary Framework — which hews closely to the discussion draft of the Frameworkreleased in late August (the Discussion Draft) — remains open-ended, with little specific guidanceon steps companies should take to improve their security posture. Instead, the Preliminary
Framework lists various existing standards companies might adopt. For example, when advisingthat companies use separate testing environments for system development, the Preliminary
Framework lists sections of the COBIT, ISO 27000 series and NIST SP 800 series standards thatoffer more specific suggestions on implementing such environments.3
The Preliminary Framework, like the Discussion Draft on which it is based, is composed of threeparts — a Framework Core, the Framework Implementation Tiers and the Framework Profile.
The Framework Core lists the five security functions that a cybersecurity-conscious organizationshould consider, then breaks each one into categories and subcategories that should beaddressed. The Framework Implementation Tiers provide companies with different tiers themight fall into depending, in part, on how proactive they are in assessing risk. Finally, the Framework Profile is a tool organizations can use to apply the Framework Implementation Tiers to the functions under the Framework Core and develop a comprehensive cybersecurity strategy.
Notable Changes From the Discussion Draft
Although the Preliminary Framework closely tracks the Discussion Draft, there are a few importantchanges to note. Unlike the Discussion Draft, the Preliminary Framework is the first version toidentify specific critical infrastructure industries. The draft indicates that “critical infrastructure”
includes all 16 sectors designated as such by the presidential directive that accompanied the originalexecutive order, including:
• commercial facilities
• critical manufacturing
• defense industrial base
• emergency services
• financial services
• food and agriculture
• government facilities
• healthcare and public health
• information technology
• nuclear services
• transportation systems
• water systems
Specific identification of these sectors likely lays to rest the possibility that the Framework will adopta narrower definition of critical infrastructure.
In addition, the Preliminary Framework clarifies that critical infrastructure operators should employthe Framework not only to address information technology security, but also industrial controlsystem (ICS) security. Companies in critical infrastructure sectors that use ICSs, including energy,nuclear services and transportation, should be aware of the potential for new regulation of thosesystems.
See full Alert: