Client Alerts

Striving for Security: Understanding the New Cybersecurity Framework

By: Frances Floriano Goins

About: Cybersecurity & Privacy

A new cybersecurity framework, developed to assist companies that are part of the critical infrastructure of the United States, can be a valuable tool for any company to manage and reduce its cybersecurity risk. In recognition of the importance of many industries to the national and economic security of the United States, President Barack Obama issued Executive Order 13636 (EO) on February 12, 2013. The Executive Order directed the development of a voluntary cybersecurity framework (the Framework) to help strengthen companies and systems that are part of the country’s critical infrastructure. On February 12, 2014, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cybersecurity. The Framework was the result of collaboration between the government and the private sector and is intended to provide a cost-effective mechanism for critical infrastructure companies to manage cybersecurity risk.

Sixteen industries are described as being part of the critical infrastructure, including energy, financial services, emergency services, health care and public health, and critical manufacturing. Although the Framework was designed for critical infrastructure companies, it can provide an effective means for any company to understand how it is managing cybersecurity risk and to establish a path towards improving cybersecurity protection.

The Framework is organized into three components: the Framework Core, the Framework Implementation Tiers, and the Framework Profile.

1. Framework Core
The Framework Core is an organized structure for companies to leverage their existing security programs to understand how they are managing cybersecurity risk. It is organized into five functions: Identify, Protect, Detect, Respond, and Recover. Each function is then further organized into categories and subcategories that provide details regarding implementation of the functions. For each subcategory, there are corresponding informative references to specific security controls in existing security standards that many companies have already implemented.

2. Implementation Tiers
The Framework Implementation Tiers allow companies to assess how they manage cybersecurity risk throughout the enterprise. There are four Tiers with Partial (Tier 1) being the lowest degree of sophistication through Adaptive (Tier 4), which is the highest level of sophistication. Although the Framework does not recommend any specific Tier, it does encourage companies to progress to higher Tiers when the change could reduce cybersecurity risk in a cost-effective manner.

3. Framework Profile
Lastly, there is a Framework Profile that uses the Framework Core and a company’s current Tier to assess the company’s current level of cybersecurity protection (the Current Profile) and to create an ideal profile (the Target Profile) to understand the company’s security gaps. By comparing the Current Profile against the Target Profile, a company can develop a plan for reaching its desired level of cybersecurity sophistication.


NIST also issued the Roadmap for Improving Critical Infrastructure Cybersecurity the same day as the Framework. The Roadmap outlines how the Framework will evolve and the areas on which NIST will focus to continue to improve the effectiveness of the Framework. Among the nine priorities identified in the Roadmap are supply chain risk management and authentication, two potential areas of weakness in a company’s security profile. The Roadmap also highlights the importance of developing privacy standards as part of the process of implementing the Framework.

Voluntary Program
The Department of Homeland Security announced the creation of the Critical Infrastructure Cyber Community C3 Voluntary Program to coincide with the issuance of the Framework and the Roadmap. The C3 Voluntary Program is intended to develop coordination between the Federal Government and companies that are part of the critical infrastructure. The goal of the program is to increase resilience to cyber threats, increase awareness and use of the Framework, and to encourage companies to incorporate cybersecurity into their overall enterprise risk management.
The Framework is currently a voluntary tool for critical infrastructure companies to implement cybersecurity protection. It is possible, however, that regulators and courts will begin to look to the Framework as an industry standard for assessing the reasonableness of entities’ security practices and to assess the reasonableness of a company’s steps to reduce cybersecurity risk. All companies should review the Framework to assess how their current cybersecurity practices fit within the Framework and to determine whether using the Framework can help them minimize cybersecurity risk in the future.

For more information, please contact Frances Floriano Goins at Ulmer & Berne LLP.