On February 12, 2014, as directed by President Barack Obama in Executive Order No. 13636, the National Institute for Standards and Technology (“NIST”), an agency within the Department of Commerce, released the final Cybersecurity Framework (“Framework”). While the Framework is intended to be voluntary, and is designed to facilitate the establishment of a national set of standards for cyber risk management across all segments of the economy, the manner in which the Framework will be implemented by and through the Sector-Specific Agencies, such as DOE, remains to be seen. Electric and gas utilities, among other business segments, should closely follow the implementation of the Framework to ensure that the industries’ unique issues, including cost recovery and liability protection, are adequately considered.
The Framework was created through collaboration between government and the private sector. Because the Framework is intended to guide cyber efforts across many industries, the Framework uses a common language to address and manage cybersecurity risk. The Framework consists of three parts: the Framework Core, the Framework Implementation Tiers and the Framework Profile.
Accompanying the Framework is the NIST Roadmap. The Roadmap notes that the Framework will continue to be updated and improved as industry participants provide feedback on implementation. To that end, NIST intends to hold at least one workshop within six months to provide a forum for stakeholders to share experiences in using the Framework. NIST also expects to transition the responsibility for the Framework to an unidentified, non-governmental organization.
Also on February 14, the Department of Homeland Security launched the Critical Infrastructure Cyber Community C3 (pronounced “C-Cube”) Voluntary Program. The intent of the C3 Voluntary Program is to: (1) support industry in increasing its cyber resilience; (2) increase awareness and use of the Framework; and (3) encourage organizations to manage cybersecurity as part of an all-hazards approach to enterprise risk management. The C3 Voluntary Program’s focus during the first year will be engagement with Sector-Specific Agencies and organizations using the Framework to develop guidance on how to implement the Framework. The first meeting of the C3 Voluntary Program is February 19th. The Sector-Specific Agency for the electricity and gas industries is the Department of Energy.
The various releases on February 12 are silent on the issues of incentives (including the liability protections mentioned in the Treasury Department’s report on incentives) for the industry to implement the Framework. An earlier release by DHS noted that engagement on incentives will occur during the voluntary program, but nothing was mentioned about incentives in the Framework or Roadmap, or in the description of the C3 Voluntary Program (see October 25, 2013 edition of the WER). Moreover, while the Framework notes that the Framework is “voluntary,” none of the releases on February 12 addressed a statement made by the Treasury Department in its report that adopting the Framework could satisfy a duty of care for purposes of determining liability. The Framework also did not address the Treasury recommendations against establishment of new tax incentives or the creation of a government program for cyber insurance.
A copy of the Cybersecurity Framework is available here.