The NIST Cybersecurity Framework and the FTC

We often get the question, If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?

Metadata
Provider: 
FTCFTC
URL: 
https://www.ftc.gov/business-guidance/blog/2016/08/nist-cybersecurity-framework-and-ftchttps://www.ftc.gov/business-guidance/blog/2016/08/nist-cybersecurity-framework-and-ftc
Retrieved on: 
Tuesday, November 29, 2022
Information
Tags: 
Section 5, CVS Health, NIST, Private sector, Risk, Social media, Legislation, ISA, Oracle, Business Environment Council, Theft, Element, ISO/IEC, Record, ISO, Checklist, Goal, Privacy, Federal Trade Commission, Awareness, In re TRENDnet, Inc., Internet, Communication, Organization, Java, International Organization for Standardization, Internet service provider, Policy, Federal Trade Commission Act of 1914, Identification, Comment, Method, LPT, COBIT, NIST Cybersecurity Framework, Travel + Leisure Co., Blog, Asus, Core, Risk assessment, Asset management, Fraud, FTC, Software, Review, Computer security, Complaint, Risk management, Security, Language, Department, TRENDnet, Information, Executive order, Congress, Medical device, Online shopping, Accretion (finance), Framework, Oracle Corporation, Technology, Governance
Summary
Key Points: 
  • We often get the question, If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?
  • In February 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which called on the Department of Commerces National Institute of Standards and Technology (NIST) to develop a voluntary risk-based Cybersecurity Framework for the nations critical infrastructurethat is, a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks.
  • NIST issued the resulting Framework in February 2014.
  • The Framework provides organizations with a risk-based compilation of guidelines that can help them identify, implement, and improve cybersecurity practices.
  • The Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO).
  • Identify helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities.
  • Protect helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
  • The Framework breaks down each of these functions into additional categories and then provides helpful guidance.
  • As the Framework recognizes, theres no one-size-fits-all approach to managing cybersecurity risk.
  • But thats the benefit of the Framework: Its not a checklist, but rather a compilation of industry-leading cybersecurity practices that organizations should consider in building their own cybersecurity programs.
  • Section 5 of the FTC Act is the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.
  • Since 2001, the FTC has settled some 60 cases against companies the FTC alleges failed to provide reasonable protections for consumers personal information.
  • By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTCs long-standing Section 5 enforcement.
  • Many FTC cases highlight companies alleged failures to implement reasonable data security practices that the Framework emphasizes under the
    Protect function.
  • FTC orders demonstrate the importance of this function, emphasizing how consumer interests should factor into a companys recovery plan.
Copyright: 
2022 FTC. All Rights Reserved.