The National Institute of Standards and Technology ("NIST") proposed updating its popular cybersecurity standards and practices blueprint for organizations and businesses. The updated Framework for Improving Critical Infrastructure Cybersecurity (the "Framework") ("Draft Version 1.1") includes new provisions for assessing cybersecurity risk posed by third-party vendors, and a new section on measuring the cost-effectiveness of cybersecurity programs. The proposal is NIST's first attempt to update the Framework since it was issued in February 2014 pursuant to President Obama's February 2013 Executive Order 13636, "Improving Critical Infrastructure Cybersecurity." NIST noted that Draft Version 1.1 is informed by feedback from users, responses to its official request for information, and workshop comments that identified certain areas of the Framework that needed refining, clarification and enhancement.
NIST requested comments on Draft Version 1.1 by April 10, 2017. NIST plans to convene a public workshop in May 2017 to discuss the proposed changes to the Framework. Additionally, NIST stated an intention to release a final Version 1.1 in Fall 2017.
In a related memorandum, Cadwalader attorneys Peter Carey, Joseph Facciponti, Keith Gerver and Joseph Moreno evaluate the proposed changes.
Commentary / Joseph Facciponti
Draft Version 1.1 is a reminder that businesses should reevaluate their cybersecurity programs periodically in light of changing industry norms and recommended best practices, and focus on the cybersecurity risks associated with third-party vendors. The comment period for Draft Version 1.1, which will remain open until April 10, 2017, provides a prime opportunity for organizations and relevant trade and industry groups to weigh in on the suggested amendments and propose additional modifications and changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.