The NIST Cybersecurity Framework and the FTC
We often get the question, If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?
- We often get the question, If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?
- In February 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which called on the Department of Commerces National Institute of Standards and Technology (NIST) to develop a voluntary risk-based Cybersecurity Framework for the nations critical infrastructurethat is, a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks.
- NIST issued the resulting Framework in February 2014.
- The Framework provides organizations with a risk-based compilation of guidelines that can help them identify, implement, and improve cybersecurity practices.
- The Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO).
- Identify helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities.
- Protect helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
- The Framework breaks down each of these functions into additional categories and then provides helpful guidance.
- As the Framework recognizes, theres no one-size-fits-all approach to managing cybersecurity risk.
- But thats the benefit of the Framework: Its not a checklist, but rather a compilation of industry-leading cybersecurity practices that organizations should consider in building their own cybersecurity programs.
- Section 5 of the FTC Act is the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.
- Since 2001, the FTC has settled some 60 cases against companies the FTC alleges failed to provide reasonable protections for consumers personal information.
- By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTCs long-standing Section 5 enforcement.
- Many FTC cases highlight companies alleged failures to implement reasonable data security practices that the Framework emphasizes under the
Protect function. - FTC orders demonstrate the importance of this function, emphasizing how consumer interests should factor into a companys recovery plan.