Remain Mindful of The NIST Cybersecurity Framework Guidelines


Last week the FTC released an article to answer the following question: “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”  The short answer is that the Cybersecurity Framework is not a federal mandate, but prudent companies should include it in their cyber and risk management efforts.  NIST’s document offers best practices for voluntary adoption and use; as the FTC explains, “there’s really no such thing as ‘complying with the Framework.’”  That said, the best practices and risk management approach provided in the Cybersecurity Framework are instructive.  In the FTC’s view “the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement,” so as innovators try to determine what security efforts are “reasonable” they should look to the Framework.

The Cybersecurity Framework’s best practices are the product of extensive collaboration between the public and private sectors, with input from over 3,000 individuals from industry, academia, and government.  Rather than introduce new standards or concepts, the Framework leverages top cybersecurity practices already developed by organizations like NIST, IEEE, and the International Standardization Organization.    

Because it is designed to be relevant to so many sectors and organizations, the Cybersecurity Framework is voluntary.  This enables organizations—with unique threats, vulnerabilities, and risk tolerances—to retain the flexibility necessary to effectively implement Framework practices and minimize security risks.  In developing the Framework, NIST specifically eschewed a “one-size-fits-all” approach.      

The result is a Cybersecurity Framework designed to help organizations identify, assess, and manage cybersecurity risks through review of five “core” functions: identify, protect, detect, respond, and recover.  According to one study, 30 percent of U.S. organizations presently use the Cybersecurity Framework and approximately 50 percent are anticipated to use the Framework by 2020.  

As the FTC points out, it has settled approximately 60 enforcement cases since 2001 concerning alleged organization failures to reasonably protect consumer personal information.  Citing cases against CVS, HTC America, TRENDnet, Dave & Busters, Twitter, Oracle and others as examples, the FTC indicates that those 60 or so cases correspond with the five core functions outlined in NIST’s Cybersecurity Framework.  

TRENDnet, of course, was the FTC’s well-known IoT-related enforcement action.  The agency claimed that TRENDnet failed to provide reasonable security to prevent unauthorized access to its internet-connected home security cameras and baby monitors.  Specifically, the FTC alleged the company failed to “employ reasonable and appropriate security in the design and testing of the software” and “implement a process to actively monitor security vulnerability reports,” which the agency said allowed hackers to access and post online the audio and video feeds from approximately 700 TRENDnet user cameras.  

To avoid similar enforcement action, IoT companies should proactively build security into their devices and adopt processes to ensure reasonable protection of sensitive consumer information.  Because of the centrality of the Framework to ongoing cybersecurity policy efforts, it would behoove organizations to review and consider their cybersecurity practices under the Framework.  This is particularly important given the continuously-evolving IoT technology market, which critically depends on robust security, and the FTC’s enforcement activities.  Organizations should therefore embrace the voluntary nature of NIST’s Cybersecurity Framework and implement a risk-based strategy tailored to address their unique cybersecurity needs.  

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek