Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
BY ART EHUAN, ALVAREZ & MARSAL and LISA J. SOTTO, HUNTON & WILLIAMS LLP --
In February 2013, following the failure of legislative initiatives and in response to increasingly sophisticated and ever-growing cyber threats directed at businesses and government agencies from hackers, hacktivists, organized crime groups, terrorist organizations and nation-states, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.” The Executive Order has several key components: (1) it requires government agencies to share cyber threat information with the private sector, (2) it contains a mandate to consider impacts on privacy and civil liberties, and (3) most importantly, it contains a requirement to develop a Cybersecurity Framework for critical infrastructure.
Section 7 of the Executive Order directs the Department of Commerce, specifically the National Institute of Standards and Technology (NIST), to develop a baseline Cybersecurity Framework to reduce cyber risks to critical infrastructure. Development of the Cybersecurity Framework was to be a collaborative effort between the government and the public. Since the issuance of the Executive Order, NIST has held four public meetings to discuss and collaborate on the proposed Cybersecurity Framework.
The fourth and last meeting was held in September 2013, and the official draft of the Cybersecurity Framework was just released for public comment. As directed by the Executive Order, on or about February 2014, NIST will release the final Cybersecurity Framework. With the release of the official draft, the government is one step closer to finalizing what will become a framework of best practices in securing the IT systems of critical infrastructure.
The intent of Section 7 of the Executive Order is to provide organizations that lack a risk management process, or those that have an immature or less developed risk management process, with a Cybersecurity Framework as a model for their business.
The Preliminary Framework Consists of Three Parts
First, there is the Framework “core,” which lists cybersecurity activities companies typically undertake and also lists references to various information sources. The “core” consists of five functions—identify, protect, detect, respond and recover. The second part is the “framework profile,” which provides guidance on how to integrate the core functions within a cybersecurity risk strategy or roadmap. The framework profile is used to determine the current state of risk management versus the desired state for the organization. The third part is called the “implementation tiers,” and this part is intended to indicate how cyber risk is managed within an organization. The tiers range from zero to three, with three indicating the most effective level of protection.
Five Functions Comprise the Framework Core
The Framework Core (which is subject to change based on public comments) provides four individual elements, described as Functions, Categories, Sub-Categories and Informative References.
The Functions matrix provides the overall model and structure for organizing cybersecurity efforts in an organization. There are five Functions. They consist of:
Identify function, which is used to define the organization’s assets, business partners and other areas that need to be protecte
Protect function, which is used to define the appropriate security safeguards and controls to protect the organization
Detect function, which is used to define how the organization will detect cyber threats
Respond function, which is used to define how the organization will react to a cyber event or incident
Recover function, which is used to define how the organization will conduct its continuity operations in the event of a cyber event or incident
Categories are high-level cybersecurity activities within a Function that an organization must undertake for protection.
Sub-Categories are sub-divisions of the various Categories and provide detailed requirements for implementation.
The Informative Reference portion lists the individual policies and procedures (such as ISO 27001/2-2005, COBIT and NIST standards) that an organization utilizes to meet the Sub-Category requirement.
Example of the Framework Core with applicable Function, Category, Sub-Category and Informative References:
As the example indicates, the Cybersecurity Framework incorporates the existing information protection standards that an organization currently may be using. Accordingly, an organization that uses ISO 27001/2-2005 or another information security standard can plug the individual components into the Cybersecurity Framework, thus eliminating the need to reinvent the wheel. Organizations that do not have a framework in place can use the Cybersecurity Framework as the model for building their framework with standards that are appropriate for their industry, such as the North American Electric Reliability Corporation (NERC) Standards for Critical Infrastructure Protection (CIP) for the electric industry.
Understanding Your Cybersecurity Profile
To implement an effective cybersecurity framework, an organization must understand its current security profile. A Current Profile will establish an existing baseline of how an organization currently is protecting its assets. Once the Current Profile has been determined, an organization can then create a Target Profile. The Target Profile is the cybersecurity state the organization is striving to achieve for optimal protection of its assets. The difference between the Current Profile and Target Profile forms the gap that will need to be addressed by the organization’s management.
Example of the Cybersecurity Current Profile, Target Profile and Gap Identification:
It's Good to be a 4
As indicated above, the Cybersecurity Framework also provides tiers to assist in determining how the model has been implemented by an organization. The tiers are described as:
Tier 1: Partial—An organization has not defined or implemented a risk management process for cybersecurity.
Tier 2: Risk Informed—An organization has implemented a risk management process for cybersecurity but it is not fully mature.
Tier 3: Risk-Informed and Repeatable—An organization has a defined risk management process and the flexibility to respond to changes based on cyber security threats.
Tier 4: Adaptive—An organization that has reached a high level of maturity is dynamic and anticipates cyber threats with appropriate responses .
A Voluntary Program?
The Cybersecurity Framework is intended to provide a voluntary program for owners and operators of critical infrastructure. While voluntary, however, the Executive Order called for federal agencies to consider changes to the Federal Acquisition Regulations to encourage adoption of the Framework, and requires agencies to report on the extent to which the private sector is complying. In addition, the Executive Order directs agencies to determine whether current regulatory requirements are sufficient, and to report on whether they have authority to establish cybersecurity requirements and, if not, to propose what legislation might be needed. Federal agencies currently are reviewing the boundaries of their authority as regulators to determine how to press the Framework on private sector entities within their purview. On September 18, 2013, Thomas J. Curry, the Comptroller of the Currency, stated: “In my capacity as chairman of the Federal Financial Institutions Examination Council, which brings together all of the bank regulatory agencies, I called for the creation of a working group on cybersecurity issues to be housed under the FFIEC’s task force on supervision.The Cybersecurity and Critical Infrastructure Working Group was launched in June, and its members are already meeting with intelligence, law enforcement and homeland security officials. They are going to be considering how best to implement appropriate aspects of the President’s Executive Order on Cybersecurity, as well as how to address the recommendations of the Financial Stability Oversight Council.”
Last summer, the White House announced recommendations on incentives that could be used to encourage owners and operators of critical infrastructure to comply with the Framework. The key incentives involve insurance incentives, adoption of the Framework as a condition for federal grants and the possibility of limited liability for companies that adopt the Framework.
The term “critical infrastructure” is defined by Presidential Policy Directive (PPD) 21 as those “assets, networks, and systems—that are vital to public confidence and the Nation’s safety, prosperity and well-being.” PPD-21 identifies 16 sectors as being part of the critical infrastructure: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Material and Waste; Transportation Systems; Water and Wastewater Systems.
No Need to Wait
There are numerous steps owners and operators of critical infrastructure can take in anticipation of the issuance of the final Cybersecurity Framework in February 2014. They include:
Identifying a point-person to become familiar with the Cybersecurity Framework and its components;
identifying the organization’s risk approach based on function, assets and regulatory requirements;
determining the Current Profile of the organization’s existing cyber security posture;
reviewing policies, procedures and controls, and determining how they would fit into the Cybersecurity Framework
identifying a Target Profile as the goal for the organization;
corganizing a working group with robust management participation that will review the results of the gap analysis and the analysis of existing policies and procedures to determine next steps; and
making informed changes based on risk, resources and regulatory requirements.
The continuing onslaught of cyber attacks against organizations requires a dedicated effort by businesses to protect their information assets. The Cybersecurity Framework should be viewed as a tool that can assist in securing the infrastructure of an organization. It provides an opportunity for management and staff to work together to define the cyber threats to an organization, and to determine appropriate controls to protect the entity. Organizations would be well advised to closely monitor this quickly evolving legal environment.
Art Ehuan is a managing director with Alvarez & Marsal’s Global Forensic and Dispute Services in San Antonio, Texas. He is a strategic information security specialist with more than 20 years of experience working with U.S. and international clients and governments.
Lisa J. Sotto is the chair of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice and is the managing partner of the firm’s New York office.
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.