The National Institute of Standards and Technology (NIST) released a preview of what could be forthcoming cybersecurity standards.
The “discussion drafts,” which the NIST made available last week, are being developed as a part of President Obama’s cybersecurity executive order, which he signed in February. The purpose of the order is to expand private sector access to government information about potential threats to cybersecurity and it tasks the Department of Homeland Security with determining which companies are operating important infrastructure like the electric grid, “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.”
The agency is seeking feedback on the drafts, released on Aug. 30, and will outline potential standards for critical infrastructure firms and address concerns many in the business community had expressed about the standards during the comment phase.
The discussion drafts recommend companies develop cybersecurity capabilities in various areas, but they do not require firms to meet specific benchmarks.
Ahren Tyron, a partner at Cozen O’Connor, told the Wall Street Journal Law Blog that the documents demonstrate “the working group’s understanding of the importance of buy-in by companies’ executive leadership. The goal is to get high-level executives comfortable with the framework. NIST is avoiding being overly prescriptive so as to ensure the framework is widely applicable.”
The proposed standards are “not designed to replace existing processes” and are “not a one-size fits all approach,” the NIST said.
Whatever happens, the standards will be well received, as experts believe cybersecurity should be top of mind for in-house counsel.
“The world of cybersecurity has surpassed the exclusive purview of information technology and security departments, and is on the radar screens of legal departments to assist in assessing and managing the risks of information security breaches,” Daniel Lim, deputy GC of Guidance Software, said in an April InsideCounsel column.
Read more about the proposed standards in the WSJ Law Blog.
For more InsideCounsel stories about cybersecurity, see: