Congress has proposed dozens of bills related to cybersecurity topics over the last decade, all of which went nowhere. That is, until recently. In December of last year, lawmakers and the President put some of their disagreements over cybersecurity reform to the side and passed the following into law: 1) National Cybersecurity Protection Act (NCPA); 2) Cybersecurity Enhancement Act of 2014 (CEA); 3) Federal Information System Modernization Act of 2014 (FISMA 2014); 4) Cybersecurity Workforce Assessment Act (CWWA); and, 5) Border Patrol Agent Pay Reform Act (BPAPRA).
For the most part, these bills address federal government functions with respect to cybersecurity. FISMA 2014 is an overhaul of the Federal Information Security Management Act of 2002 (FISMA) and is meant to provide a framework for the federal government to assess and ensure its information security controls. The CWWA and BPAPRA deal with cybersecurity workforce issues at the Department of Homeland Security (DHS). The NCPA focuses solely on promoting information sharing between the government and the private sector via DHS. Finally, the CEA is a bill that, on its face, is also government-focused; however, of all the bills passed in December, it is the one that may have the biggest chance of causing unintended effects on private sector organizations.
The CEA is the most significant of the December bills both in breadth and likely in significance. This bill covers a wide range of topics, to include research and development, and education and awareness. However, it is in the area of public-private collaboration that the new law is apt to have the most impact, since it empowers the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary cyber security standards for critical infrastructure organizations. This mission was already given to NIST by President Obama through Executive Order in 2013, but the CEA cements it into law and in doing so limits the ability of future Administrations to alter.
While NIST is not given any regulatory authority, and the standards it produces will not be considered regulations, the framework created by NIST could be adopted by industry groups and even courts as a benchmark for measuring organizations’ cybersecurity posture.
There already is precedent for a similar framework that has been used by courts dealing with cybersecurity cases. Over the past several years, a number of financial institutions have been subject to lawsuits from corporate customers whose money was stolen by cyber criminals. In many of these cases, courts turned to guidelines created by the Federal Financial Institutions Examination Council (FFIEC) as a way to evaluate the financial institution’s cybersecurity posture. The FFIEC standards have no legal weight of their own, but courts found them to be instructive in these cases and they often played a significant part in the court’s rulings.
A similar situation could very well develop with respect to the NIST standards. Courts, regulatory bodies, and even industry groups that seek guidance in resolving grievances related to cybersecurity incidents are likely to go with the NIST framework because it has been generally well received, was subject to public comment, and is freely available. Also, while the CEA is focused on giving NIST authority to maintain this set of standards with respect to critical infrastructure organizations specifically, there is nothing stopping courts or other regulatory groups from using the NIST standards to gauge the cyber security posture of organizations working in non-critical infrastructure sectors. We are already seeing the Securities Exchange Commission and the Federal Trade Commission moving in that direction. Private sector companies also are getting into the act by sending cybersecurity questionnaires to their vendors that are based in part of the NIST framework. Failure to answer the questions adequately removes the vendor from further consideration, turning this into a business requirement.
Companies have good reason to consider embracing, rather than staving off, the NIST framework. There is a fair amount of flexibility in its approach. Similar to the FFIEC guidelines, NIST does not mandate the use of specific security protocols or technologies. By way of comparison, FFIEC suggests that financial institutions use a layered security program that uses controls at multiple points in a transaction process in order to build a more effective overall security framework. Meanwhile, the NIST guidelines advocate that organizations approach cybersecurity by evaluating and implementing controls from a risk-based perspective. Guidelines from both organizations provide a framework for thinking about cybersecurity practices while still allowing companies plenty of flexibility in meeting cybersecurity goals.
The implications of the CEA give companies something to think about. Since courts and regulatory bodies lack laws to guide their decision making process in this area, they likely will turn increasingly to NIST as having set the standard of what good security processes look like. As a result, organizations that strive to make their cybersecurity controls more robust may be well-advised to turn to the same NIST standards as a baseline for exploring their risk and setting their controls. Companies that have not already implemented an internationally recognized set of cybersecurity standards (such as ISA, ISO/IEC, or COBIT) will find that, by using the NIST standards to inform their cybersecurity protocols, they can get ahead of the game should clients or regulatory bodies begin asking for the basis of the cybersecurity posture.
Matt Dahl is Manager of Global Threat Intelligence and Legal Counsel for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He can be reached at firstname.lastname@example.org.