The Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST) presents an opportunity for in-house counsel to play an important role in framing and strengthening an organization’s preparedness for and response to cyberattacks.
The NIST, the federal agency that works with industry to develop and apply technology, measurements and standards, is collaborating with private-sector organizations to create the framework in response to President Barack Obama’s Executive Order, “Improving Critical Infrastructure Cybersecurity.” The goal of that order, issued in February, is to fortify the cybersecurity of the nation’s critical infrastructure by increasing information sharing and jointly designing and implementing a framework of cybersecurity practices with industry.
The framework uses existing international standards, practices and procedures that have proven to be effective to provide guidance to companies on how to manage cybersecurity risks with the same priority and urgency they give to financial, safety and operational risks.
NIST posted an outline in July and published the official draft of the Cybersecurity Framework [PDF] for public comment this past October. The executive order requires the NIST to finalize the framework by Feb. 19, 2014.
While implementing the framework will be voluntary, it will be beneficial for companies to adopt it. In-house counsel will be directly involved in formulating a process that establishes disclosure and compliance guidelines to follow in the event of a breach. Corporate counsel will be integral in designing strategies that address the five fundamental cybersecurity functions defined in the framework:
The framework also offers direction on how the private sector should create and use industry best practices to carry out the core functions and measure their current state of cybersecurity against their desired targeted state.
Corporate counsel’s vital role in the development of cybersecurity policies and practices is an extension of the GC office’s responsibilities for protecting and securing intellectual property and assessing and minimizing risks. In-house counsel can spearhead several components of the cybersecurity plan, including: