Voluntary Cybersecurity Framework Could Lead to Regulations in the Future

Lloyd McCoy_65x85by Lloyd McCoy Jr., Consultant

The Preliminary Cybersecurity Framework, released for industry feedback in October serves as a preview of the voluntary guidelines and best practices aimed at industry for the purpose of reducing cyber risks to our critical infrastructure (see below). The Framework also focuses on information sharing, between industry and the government. Specifically, the government and private critical infrastructure operators, as well as the technology firms who support them, would share information on cyber breaches and ways to prevent them.  The draft by the National Institute for Standards and Technology (NIST) was put together with industry feedback, but there are lingering concerns that the final version may not be all that voluntary.

Some industry watchers worry that if a technology company disregards the Framework, and there is an intrusion resulting in loss of data or impaired critical infrastructure, then that firm could be vulnerable to lawsuits. The draft Framework does include liability protection but only for those who adopt the Framework – leaving those on the outside more vulnerable particularly if the Framework becomes to the de facto standard.

The Framework also addresses privacy and civil liberty concerns, an issue on a lot of people’s minds nowadays. It calls for minimization of personally identifiable information (PII) as information on cyber breaches is shared with the government. The issue here is that all the scrubbing and anonymizing of data that will be required is costly and time consuming and could prove to be a disincentive.

The White House has gone to great lengths to make the Framework as benign and palatable as possible to industry, but while the Framework is not mandatory, there is concern it could pave the way for regulations and legislation in the future. The Executive Order from which the Framework is derived, for example, requires federal agencies to state whether they have authority to establish requirements based on the Framework…should they need to.  Also, the word “should” was dropped from certain sections featuring recommendations for industry. The change was intended to make the language less forceful but now reads as if industry is being commanded.

Any concerns or recommendations can be conveyed to the government during a 45-day comment period which ends December 13, 2013. It is open to all industry, particularly those connected in some way to critical infrastructure. I encourage you to take a look at the Framework and take advantage of this opportunity to shape the guidelines which, if you peel back the layers may become more binding than you might think.

WordPress Lloyd Blog

About Lloyd McCoy Jr.
Lloyd McCoy is the Department of Defense Consultant on the Market Intelligence team. Prior to working for immixGroup, he worked in the public sector as a senior analyst with the Defense Department. Lloyd primarily monitors and analyzes issues relating to the Navy/Marine Corps, Defense Health Agency, and the Defense Information Systems Agency

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: