Remain Mindful of The NIST Cybersecurity Framework Guidelines
Last week the FTC released an article to answer the following question: “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?” The short answer is that the Cybersecurity Framework is not a federal mandate, but prudent companies should include it in their cyber and risk management efforts. NIST’s document offers best practices for voluntary adoption and use; as the FTC explains, “there’s really no such thing as ‘complying with the Framework.’” That said, the best practices and risk management approach provided in the Cybersecurity Framework are instructive. In the FTC’s view “the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement,” so as innovators try to determine what security efforts are “reasonable” they should look to the Framework.
The Cybersecurity Framework’s best practices are the product of extensive collaboration between the public and private sectors, with input from over 3,000 individuals from industry, academia, and government. Rather than introduce new standards or concepts, the Framework leverages top cybersecurity practices already developed by organizations like NIST, IEEE, and the International Standardization Organization.
Because it is designed to be relevant to so many sectors and organizations, the Cybersecurity Framework is voluntary. This enables organizations—with unique threats, vulnerabilities, and risk tolerances—to retain the flexibility necessary to effectively implement Framework practices and minimize security risks. In developing the Framework, NIST specifically eschewed a “one-size-fits-all” approach.
The result is a Cybersecurity Framework designed to help organizations identify, assess, and manage cybersecurity risks through review of five “core” functions: identify, protect, detect, respond, and recover. According to one study, 30 percent of U.S. organizations presently use the Cybersecurity Framework and approximately 50 percent are anticipated to use the Framework by 2020.
As the FTC points out, it has settled approximately 60 enforcement cases since 2001 concerning alleged organization failures to reasonably protect consumer personal information. Citing cases against CVS, HTC America, TRENDnet, Dave & Busters, Twitter, Oracle and others as examples, the FTC indicates that those 60 or so cases correspond with the five core functions outlined in NIST’s Cybersecurity Framework.
TRENDnet, of course, was the FTC’s well-known IoT-related enforcement action. The agency claimed that TRENDnet failed to provide reasonable security to prevent unauthorized access to its internet-connected home security cameras and baby monitors. Specifically, the FTC alleged the company failed to “employ reasonable and appropriate security in the design and testing of the software” and “implement a process to actively monitor security vulnerability reports,” which the agency said allowed hackers to access and post online the audio and video feeds from approximately 700 TRENDnet user cameras.
To avoid similar enforcement action, IoT companies should proactively build security into their devices and adopt processes to ensure reasonable protection of sensitive consumer information. Because of the centrality of the Framework to ongoing cybersecurity policy efforts, it would behoove organizations to review and consider their cybersecurity practices under the Framework. This is particularly important given the continuously-evolving IoT technology market, which critically depends on robust security, and the FTC’s enforcement activities. Organizations should therefore embrace the voluntary nature of NIST’s Cybersecurity Framework and implement a risk-based strategy tailored to address their unique cybersecurity needs.