A technical agency within the Department of Commerce is poised to have a substantial impact on American businesses, through efforts on cybersecurity, data security, and privacy. The National Institute of Standards and Technology has taken a leadership role on technology issues by producing guidance documents that are broad in scope and may influence regulatory agendas and expectations about private sector operations and policies. The private sector should be engaged and watchful, as NIST's work generally is not bound by notice and comment procedures and is rarely subject to judicial review, but could become de facto obligations or expectations for private behavior.
NIST Produces Guidance and Standards by Consensus, Outside Familiar Administrative Law Procedures
NIST, housed within the U.S. Department of Commerce, is a non-regulatory agency. Since its inception in 1901, the agency has been charged with, among other things, "stimulating cooperative work among private industrial organizations in efforts to surmount technological hurdles." NIST's stated mission is to "[t]o promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life." NIST has core responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law 107-347, "for developing information security standards and guidelines, including minimum requirements for federal information systems."
NIST performs several functions, including developing standards and guidelines for federal information systems; supporting Commerce in facilitating trade; and cooperating in international- and private- efforts to establish standard practices and voluntary, consensus-based standards. Much of NIST's work is spread among six internal research laboratories, including the Information Technology Laboratory (ITL).
In carrying out its functions, NIST publishes a variety of guidance, including handbooks, NIST interagency or internal reports (NISTIRs), special publications, technical notes, and bulletins, among others. "While developed for federal agency use, these resources are voluntarily adopted by other organizations because they are effective and accepted throughout the world." NIST's work has been influential in government procurement policy by, for example, setting security standards for federal contractors and others that store controlled unclassified information (CUI) on their systems.
NIST is a non-regulatory agency and its procedures are often unlike the notice-and-comment procedures of regulatory agencies dictated by the Administrative Procedures Act (APA). In some instances, NIST will follow procedures "modeled after" the APA, but for other work, such as special publications, NIST tends toward the creation of voluntary, consensus-based standards via workshops and meetings rather than formal rulemakings. NIST explains that "standards and guidelines are developed in an open and transparent manner that enlists broad industry and academia expertise from around the world." NIST's development of the Framework for Improving Critical Infrastructure Cybersecurity, discussed below, illustrates the collaborative, workshop-based approach NIST often uses. NIST's substantive work is not often subject to judicial review, though its efforts often are used by other agencies as a standard or benchmark.
The legal impact of NIST guidance and expertise outside the federal government is not well developed, but NIST's work has been used in a variety of ways by courts and litigants. NIST studies and standards have been cited by litigants and analyzed by courts in cases concerning products liability, patent infringement and false advertising.
Litigants also cite NIST guidance in their advocacy. For example, NIST's activities were raised in a key case challenging the Federal Trade Commission's authority to regulate data security. In FTC v. Wyndham Worldwide Corporation, a federal court upheld the FTC's authority to bring an enforcement action against a hotel company for failing to use reasonable and appropriate data security practices. There, Wyndham and amici had argued that the FTC could not develop or enforce general data security standards, and cited NIST's then-pending Framework efforts as an example of appropriate standard-setting.
NIST Is a Leader on Data Security, Privacy and Cybersecurity
NIST supports federal network security standards, guidelines, and best practices. Its work feeds into national and international consensus standards, and informs state and local governments, along with private industry.
Of late, NIST has been taking on an increasingly high profile on issues related to privacy and security, principally through its ITL, which "has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics." The ITL contains the Computer Security Division (CSD), which is responsible for developing standards, guidelines, tests, and metrics for the protection of non-national security federal information and communications infrastructure. CSD includes the Computer Security Resource Center, which facilitates "sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia."
As shown in a recent Annual Report, the CSD is addressing a variety of issues, as diverse as smart-grid cybersecurity, health information technology security, supply chain risk management, cloud computing, and identity verification. NIST is proud of its role in developing "scalable and sustainable information security standards and practices in areas such as cyber-physical and industrial control systems, privacy engineering, security automation, and mobile technologies." These areas are all emerging as major challenges for government and the private sector.
NIST Has Taken a Lead Role in Federal Cybersecurity Efforts, and is Impacting Regulatory Activities Throughout the Federal Government
In February 2013, President Obama issued an Executive Order (EO) on Improving Critical Infrastructure (CI) Cybersecurity. The EO tasked NIST with developing a voluntary cybersecurity framework through an open, consultative process. To implement its responsibilities under the EO, NIST held several open planning sessions for the voluntary cybersecurity framework during 2013-2014. NIST released a proposed framework, on which it accepted comments from interested parties, and finalized the framework in February 2014.
The framework provides broad cybersecurity guidance using a risk-based approach that can be adapted to the needs of different CI sectors. It consists of three parts: the core, profile and implementation tiers. The core is a set of activities and outcomes NIST found applicable to all CI sectors. It is organized into five functions-identify, protect, detect, respond, and recover-that are recognized components of a cybersecurity management lifecycle, along with associated programmatic and technical outcomes. The profile describes an entity's current and target cybersecurity postures, based on business needs. And the implementation tiers characterize an entity's current and intended practices. The framework is not intended to be mandatory or static, and NIST explicitly states that it can updated.
Industry has been generally supportive of NIST's efforts on the cybersecurity framework, in particular the agency's open and collaborative approach, and its commitment to keep the resulting Framework voluntary and non-regulatory.
NIST's cybersecurity activities are influencing initiatives at other government agencies:
- The Food and Drug Administration incorporated the framework into recent guidance related to cybersecurity on medical devices.
- The National Highway Traffic Safety Administration is using the framework to analyze cybersecurity risk management in the automotive sector.
- The Securities and Exchange Commission's Office of Compliance Inspections and Examinations has undertaken a cybersecurity initiative that includes conducting examinations of registered broker-dealers and registered investment advisors focused, among other things, on identification and assessment of cybersecurity risks and protection of networks and information. The inquiry largely tracks the framework.
- The Federal Trade Commission, which has asserted broad authority over private sector data security issues, will consider the framework in its data security activities and investigations.
- The Federal Communications Commission's Communications Security, Reliability, and Interoperability Council is looking at mechanisms to provide macro-level assurance that communications providers are reducing cybersecurity risks through the application of the framework, or an equivalent construct.
- The Department of Defense and the General Services Administration used the framework in its development of cybersecurity guidelines for government acquisition.
A full version of this article is available here.