The rise of the NIST cybersecurity framework

The National Institute of Standards and Technology (NIST), the technical standards agency, has recently released the widely-referenced Cybersecurity Framework (version 1.1), incorporating input from industry and other stakeholders.

The Framework now includes: (i)  a new section on correlating cybersecurity risk management metrics to organizational objectives; (ii) expanded guidance for mitigating supply chain cyber risk, and underscores this new component by adding a Supply Chain Risk Management Category to the Framework Core; (iii) addresses vulnerability disclosures; (iv) refined language on authentication, identification and authorization; and (v)  treatment of the risks inherent in the Internet of Things (IoT) in addition to critical infrastructure. NIST removed a superfluous section on Federal Alignment, which detailed requirements for federal information systems. 

NIST standards have long been at the forefront of secure infrastructure system development, from Special Publication (SP) 800-53, which mandates security requirements for federal government IT systems, to SP 800-144, Guidelines on Security and Privacy in Cloud Computing. In 2012, with the rise of attention to cybersecurity-related risk exposure, NIST first launched a Cybersecurity Center of Excellence.

The Center’s role in establishing an overarching cybersecurity framework to be used as a guide for private sector systems was formalized two years later in S.1353 – the Cybersecurity Enhancement Act of 2014.  The same year, NIST released the version 1.0 of the Cybersecurity Framework as a guidebook for industry. 

Although it is often thought to be a “standard”, the drafters of the Cybersecurity Framework intended it to be a flexible framework that organizations could use when developing security systems. It was originally adopted in February 2014 for critical infrastructure sectors following an Executive Order by then-President Obama. Since then, it has been adopted by many different industries. The Cybersecurity Framework itself is based on already well-established fundamental information security principles. The Framework is therefore neither meant as a check-the-box exercise nor one that organizations can attain, but an important structure from which organizations can build.

On the Hill, it’s raining NIST

This year, lawmakers have introduced over a dozen bills relating to NIST, the majority of which concern cybersecurity. This demonstrates the increased recognition of a need for the private sector to coalesce around widely-recognized recommendations on how to build secure IT infrastructures. 

As just a few examples, in the House, H.R. 1562: SAFE Act would establish voting cybersecurity standards in collaboration with NIST; and H.R. 1981: Cyber Security Education and Federal Workforce Enhancement Act would work to better promote opportunities and to fill the gap in information security jobs within the federal government. In the Senate, we have S. 1656: Medical Device Cybersecurity Act of 2017, which would prescribe standards on cybersecurity in the healthcare space; and S. 1691: Internet of Things (IoT) Cybersecurity Improvement Act of 2017 to provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.

The House also recently passed H.R. 2105: NIST Small Business Cybersecurity Act. This bill will require NIST to offer additional cybersecurity tools to small businesses. The Senate passed S. 770 Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act, which was a similar piece of legislation. It will now go to committee but is on its way to becoming law. Another bill is aimed at creating a federal working group to develop IoT standards with NIST, S. 88 DIGIT Act. Reps. Darrell Issa and Suzan DelBene (who co-chair of the IoT Caucus) have recently urged Congress to pass the bill.

There seems no end in sight for lawmakers’ reliance upon NIST – as an Institute generally and for its guidelines, which is welcome news for security professionals. Despite proposed cuts to the Institute (and the Department of Commerce generally) under the President’s FT 2018 budget blueprint, the Congressional omnibus increased discretionary spending on the NIST budget by nearly 26% on FY 2017 levels. NIST is a highly-technical expert-driven organization, so their approach in providing rigorous security guidance is to be supported.

NIST’s expanding role

NIST’s role has expanded greatly over the last decade. This can be seen through a recent piece of legislation that proposed that the Institute would act as the auditor of federal agencies’ cybersecurity defense practices. H.R. 1224 NIST Cybersecurity Framework, Assessment, and Auditing Act has now been amended, given worries that it would take away from NIST’s neutral advisorial role as well as from its focus on best practice. They will, however, be required to perform an initial assessment of agencies’ “cybersecurity preparedness” and give technical assistance and input to agency inspector generals to audit their agencies next to NIST standards.

NIST is constantly seeking improvement to existing sector, agency or technology-specific guidelines. NIST is currently seeking feedback on protecting IoT devices, for example, including guidelines for federal agencies on purchasing, deploying and protecting internet-connected devices. The final version is expected to include an ‘inventory’ of existing cybersecurity standards that already exist in relation for this technology. IoT covers a huge range of different types of devices and sectors, all with many of their own sector-specific best practices and unique challenges, so while a set standard may be difficult, it is possible for a more comprehensive outlook (such as the working inventory that NIST is developing) to be formed.

NIST has also recently released an updated version of its risk-management framework (with a new section on data privacy), which includes better integration with the Cybersecurity Framework now that it is required of all agencies. Although all federal agencies have been required to comply with NIST SP 800-53, a May 2017 Executive Order directed all federal agencies to use the Cybersecurity Framework and the Risk Management Framework points to it instead of NIST 800-53, likely because the Cybersecurity Framework describes overarching principles which can be designed according to other publications, such as NIST SP 800-53.

In the United States, the NIST Cybersecurity Framework is widely pointed as the go-to standard for security practices and development. The FTC, SEC, state legislators, and others are increasingly using language requiring “reasonable” safeguards.  Having developed a cybersecurity program following Version 1.1 will mitigate cybersecurity-related liability exposure for businesses in the face of regulatory enforcement actions. 

NIST to the rescue?

Under current law in the United States, businesses have no clear guidance about how to build a security program that would comply with the law. No matter what security protections a business employs, it cannot be certain that the protections would be judged as being sufficient in a lawsuit or regulatory investigation. In many areas of the law, negligence standards tend to be much clearer and businesses generally know they can be considered legally sufficient if certain standards or conditions are met. In other words, those standards instruct businesses adequately on the steps to take to be reasonable and not negligent. 

Eventually, courts or legislators will somehow establish a legal standard that sets out what legally constitutes reasonable cybersecurity protections. Organizations will then be able to have greater certainty over whether their protocols and procedures are legally adequate (not to be confused with technologically or operationally adequate). In the meantime, businesses are contending with a plethora of different guidance, best practices and regulatory requirements. As there is not yet a wide body of case law that can define legal standards, organizations have struggled to define the exact measures that need to be taken to avoid being found negligent in the case of a cybersecurity breach or to mitigate against the risk of protracted federal or state regulatory investigations and enforcement actions. 

Proposed legislation in multiple states would offer businesses an affirmative defense (i.e., defendant company admits guilt but has a statutory justification for avoiding action) against data breach lawsuits if the business has built a cybersecurity program according to one of several named industry standards, including the NIST Cybersecurity Framework.

Ohio Senate Bill 220 would create a ‘safe harbor’ for businesses if they comply with the NIST Cybersecurity Framework or certain other standards.  The bill specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the Center for Internet Security (CIS) critical security controls, Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA).

It’s worth noting that the bill does not provide defenses to state Attorneys General investigations, but an organization defending against a state AG enforcement action could certainly argue its program should pass muster with the AG’s office if it truly aligns with state-sanctioned industry standards.

In California, then-Attorney General Kamala Harris released a report on data breaches that that suggested that the Center for Internet Security (CIS) controls (formerly the SANS Top 20) as per se reasonable under California law. The two standards differ slightly but following either one properly would result in a solid cybersecurity program. 

Version 1.1 points to areas of interest and development, namely new authentication requirements, and supply chain risk management. Its inclusion of a lifecycle approach in the accompanying ‘Roadmap’ is also to be welcomed. Moreover, the guidelines reflect the growing recognition of NIST itself as a (literal) standard-setter in the cybersecurity landscape.

The inclusion of Internet of Things (IoT) technology, for example, is significant given the Federal Trade Commission (FTC)’s recent interest and enforcement in this area, which will no doubt be informed by whether IoT developers and manufacturers are following relevant NIST guidelines. It is also significant that vulnerability disclosure language has been added, which has been an increasing area of focus for the likes of the Department of Health and Human Services, following the release of the Health Care Industry Cybersecurity Task Force report last summer.