• United States




The rise of the NIST cybersecurity framework

May 11, 20188 mins
Data and Information SecurityGovernmentTechnology Industry

NIST's recently released Cybersecurity Framework version 1.1 showcases the Institute’s expanding role and the reliance of lawmakers on its guidance. While this should be welcomed given NIST’s rigorous technical approach, eventually the courts or legislators themselves will need to establish a legal standard that sets out what legally constitutes reasonable cybersecurity protections.

login credential - user name, password - administrative controls - access control - single sign-on
Credit: Thinkstock

The National Institute of Standards and Technology (NIST), the technical standards agency, has recently released the widely-referenced Cybersecurity Framework (version 1.1), incorporating input from industry and other stakeholders.

The Framework now includes: (i)  a new section on correlating cybersecurity risk management metrics to organizational objectives; (ii) expanded guidance for mitigating supply chain cyber risk, and underscores this new component by adding a Supply Chain Risk Management Category to the Framework Core; (iii) addresses vulnerability disclosures; (iv) refined language on authentication, identification and authorization; and (v)  treatment of the risks inherent in the Internet of Things (IoT) in addition to critical infrastructure. NIST removed a superfluous section on Federal Alignment, which detailed requirements for federal information systems. 

NIST standards have long been at the forefront of secure infrastructure system development, from Special Publication (SP) 800-53, which mandates security requirements for federal government IT systems, to SP 800-144, Guidelines on Security and Privacy in Cloud Computing. In 2012, with the rise of attention to cybersecurity-related risk exposure, NIST first launched a Cybersecurity Center of Excellence.

The Center’s role in establishing an overarching cybersecurity framework to be used as a guide for private sector systems was formalized two years later in S.1353 – the Cybersecurity Enhancement Act of 2014.  The same year, NIST released the version 1.0 of the Cybersecurity Framework as a guidebook for industry. 

Although it is often thought to be a “standard”, the drafters of the Cybersecurity Framework intended it to be a flexible framework that organizations could use when developing security systems. It was originally adopted in February 2014 for critical infrastructure sectors following an Executive Order by then-President Obama. Since then, it has been adopted by many different industries. The Cybersecurity Framework itself is based on already well-established fundamental information security principles. The Framework is therefore neither meant as a check-the-box exercise nor one that organizations can attain, but an important structure from which organizations can build.

On the Hill, it’s raining NIST

This year, lawmakers have introduced over a dozen bills relating to NIST, the majority of which concern cybersecurity. This demonstrates the increased recognition of a need for the private sector to coalesce around widely-recognized recommendations on how to build secure IT infrastructures. 

As just a few examples, in the House, H.R. 1562: SAFE Act would establish voting cybersecurity standards in collaboration with NIST; and H.R. 1981: Cyber Security Education and Federal Workforce Enhancement Act would work to better promote opportunities and to fill the gap in information security jobs within the federal government. In the Senate, we have S. 1656: Medical Device Cybersecurity Act of 2017, which would prescribe standards on cybersecurity in the healthcare space; and S. 1691: Internet of Things (IoT) Cybersecurity Improvement Act of 2017 to provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.

The House also recently passed H.R. 2105: NIST Small Business Cybersecurity Act. This bill will require NIST to offer additional cybersecurity tools to small businesses. The Senate passed S. 770 Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act, which was a similar piece of legislation. It will now go to committee but is on its way to becoming law. Another bill is aimed at creating a federal working group to develop IoT standards with NIST, S. 88 DIGIT Act. Reps. Darrell Issa and Suzan DelBene (who co-chair of the IoT Caucus) have recently urged Congress to pass the bill.

There seems no end in sight for lawmakers’ reliance upon NIST – as an Institute generally and for its guidelines, which is welcome news for security professionals. Despite proposed cuts to the Institute (and the Department of Commerce generally) under the President’s FT 2018 budget blueprint, the Congressional omnibus increased discretionary spending on the NIST budget by nearly 26% on FY 2017 levels. NIST is a highly-technical expert-driven organization, so their approach in providing rigorous security guidance is to be supported.

NIST’s expanding role

NIST’s role has expanded greatly over the last decade. This can be seen through a recent piece of legislation that proposed that the Institute would act as the auditor of federal agencies’ cybersecurity defense practices. H.R. 1224 NIST Cybersecurity Framework, Assessment, and Auditing Act has now been amended, given worries that it would take away from NIST’s neutral advisorial role as well as from its focus on best practice. They will, however, be required to perform an initial assessment of agencies’ “cybersecurity preparedness” and give technical assistance and input to agency inspector generals to audit their agencies next to NIST standards.

NIST is constantly seeking improvement to existing sector, agency or technology-specific guidelines. NIST is currently seeking feedback on protecting IoT devices, for example, including guidelines for federal agencies on purchasing, deploying and protecting internet-connected devices. The final version is expected to include an ‘inventory’ of existing cybersecurity standards that already exist in relation for this technology. IoT covers a huge range of different types of devices and sectors, all with many of their own sector-specific best practices and unique challenges, so while a set standard may be difficult, it is possible for a more comprehensive outlook (such as the working inventory that NIST is developing) to be formed.

NIST has also recently released an updated version of its risk-management framework (with a new section on data privacy), which includes better integration with the Cybersecurity Framework now that it is required of all agencies. Although all federal agencies have been required to comply with NIST SP 800-53, a May 2017 Executive Order directed all federal agencies to use the Cybersecurity Framework and the Risk Management Framework points to it instead of NIST 800-53, likely because the Cybersecurity Framework describes overarching principles which can be designed according to other publications, such as NIST SP 800-53.

In the United States, the NIST Cybersecurity Framework is widely pointed as the go-to standard for security practices and development. The FTC, SEC, state legislators, and others are increasingly using language requiring “reasonable” safeguards.  Having developed a cybersecurity program following Version 1.1 will mitigate cybersecurity-related liability exposure for businesses in the face of regulatory enforcement actions. 

NIST to the rescue?

Under current law in the United States, businesses have no clear guidance about how to build a security program that would comply with the law. No matter what security protections a business employs, it cannot be certain that the protections would be judged as being sufficient in a lawsuit or regulatory investigation. In many areas of the law, negligence standards tend to be much clearer and businesses generally know they can be considered legally sufficient if certain standards or conditions are met. In other words, those standards instruct businesses adequately on the steps to take to be reasonable and not negligent. 

Eventually, courts or legislators will somehow establish a legal standard that sets out what legally constitutes reasonable cybersecurity protections. Organizations will then be able to have greater certainty over whether their protocols and procedures are legally adequate (not to be confused with technologically or operationally adequate). In the meantime, businesses are contending with a plethora of different guidance, best practices and regulatory requirements. As there is not yet a wide body of case law that can define legal standards, organizations have struggled to define the exact measures that need to be taken to avoid being found negligent in the case of a cybersecurity breach or to mitigate against the risk of protracted federal or state regulatory investigations and enforcement actions. 

Proposed legislation in multiple states would offer businesses an affirmative defense (i.e., defendant company admits guilt but has a statutory justification for avoiding action) against data breach lawsuits if the business has built a cybersecurity program according to one of several named industry standards, including the NIST Cybersecurity Framework.

Ohio Senate Bill 220 would create a ‘safe harbor’ for businesses if they comply with the NIST Cybersecurity Framework or certain other standards.  The bill specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the Center for Internet Security (CIS) critical security controls, Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA).

It’s worth noting that the bill does not provide defenses to state Attorneys General investigations, but an organization defending against a state AG enforcement action could certainly argue its program should pass muster with the AG’s office if it truly aligns with state-sanctioned industry standards.

In California, then-Attorney General Kamala Harris released a report on data breaches that that suggested that the Center for Internet Security (CIS) controls (formerly the SANS Top 20) as per se reasonable under California law. The two standards differ slightly but following either one properly would result in a solid cybersecurity program. 

Version 1.1 points to areas of interest and development, namely new authentication requirements, and supply chain risk management. Its inclusion of a lifecycle approach in the accompanying ‘Roadmap’ is also to be welcomed. Moreover, the guidelines reflect the growing recognition of NIST itself as a (literal) standard-setter in the cybersecurity landscape.

The inclusion of Internet of Things (IoT) technology, for example, is significant given the Federal Trade Commission (FTC)’s recent interest and enforcement in this area, which will no doubt be informed by whether IoT developers and manufacturers are following relevant NIST guidelines. It is also significant that vulnerability disclosure language has been added, which has been an increasing area of focus for the likes of the Department of Health and Human Services, following the release of the Health Care Industry Cybersecurity Task Force report last summer.


Tara Swaminatha is a partner at Squire Patton Boggs, focusing on cybersecurity, litigation and white collar investigations. Tara has acted as outside cybersecurity counsel on some of the most significant data breaches in recent years and has defended clients against federal, state and international regulatory actions and related litigation.

During her time in private practice, Tara has advised multinational companies on cybersecurity liability risk assessments, internal compliance measures and incident response protocols. In the instance of security or privacy incidents, Tara led an incident response effort and served as her client’s subject matter expert. Her extensive knowledge of how digital evidence may be used to prove facts litigation in security incidents has enabled her to minimize her clients’ litigation exposure during incident responses, investigations and data breaches.

At the Department of Justice (DOJ), Tara directed technical forensic investigations for federal law enforcement agencies, assisted prosecutors and investigators across the country with computer crime-related cases, and prosecuted IP crimes to combat massive online piracy of entertainment software, motion pictures and business software. Adding to her legal dexterity, Tara’s clients benefit from her technical understanding of cybersecurity methods and issues, having been the Information Security Administrator for the International Finance Corporation (IFC), part of the World Bank Group, built networks and conducted application security risk assessments while working at a boutique security firm prior to becoming a lawyer. Tara helped implement the IFC’s first information security policy for 3,000 employees worldwide.

In addition, Tara commits to considerable pro bono and volunteering activities. She represents pro bono juvenile clients seeking asylum and represents the National Association for the Education of Young Children on data governance and other matters. An active member of her community, she is a board member for the Hearing & Speech Center at Children’s National Medical Center and helps mentor families with children with hearing loss.

Tara is a frequent speaker on and writes extensively on security, privacy and cybercrime issues, having written one of the first textbooks on wireless security privacy and contributed to the National Association of Corporate Directors' Handbook on Cyber-Risk Oversight (2017 edition). She serves as an Adjunct Professor at George Mason University Law School where she teaches Computer Crime Law. She was named a Cybersecurity Trailblazer in 2017 by the National Law Journal and one of the leading cybersecurity incident response professionals as part of the “Incident Response 30.” She was also recognized in The Legal 500 for Cyber Law, where she is “commended for her experience in high-profile data breach investigations and “understands forensics and is able to digest technical reports in a meaningful and actionable way.”

The opinions expressed in this blog are those of Tara Swaminatha and do not necessarily represent those of Squire Patton Boggs or of IDG Communications, Inc., its parent, subsidiary or affiliated companies.