NIST Releases Cybersecurity Framework

Regulation Watch

NIST Releases Cybersecurity Framework

By William B. Wilhelm, Regulation Watch  |  May 12, 2014

On Feb. 10, 2014, the National Institute of Standards and Technology issued the “Framework for Improving Critical Infrastructure Cybersecurity.”  The framework follows President Obama’s Executive Order 13636, issued in February 2013, directing NIST to create a set of voluntary industry standards and best practices to help organizations manage cybersecurity risks.

The NIST framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. It instructs organizations on how to assess their current level of cybersecurity, set goals for improving cybersecurity, and creates a plan for implementing those goals. NIST intends to update the framework to keep pace with changes in technology.  

The framework is focused on critical infrastructure, which includes utilities, financial services, telecommunications, chemicals, food and agriculture, and health care. Although businesses are not required to adopt the NIST framework, the framework will be used as a roadmap for future cybersecurity-related undertakings in the United States, even in non-critical infrastructure areas.  Federal and private incentives (cybersecurity insurance, grants, liability limitations, etc.) will likely encourage industry participation in the NIST framework. Implementation of NIST standards may also affect business-to-business relationships, court liability in the event of future breaches, and may be used as the basis for future legislation. Businesses that participate in the framework may therefore have an opportunity to shape the guidelines and determine an appropriate standard before it becomes mandated by law.

As providers of advanced communications services, VoIP providers should take particular note of the cybersecurity framework and ensure that they have considered potential cyber threats to their networks, customers and business operations; have taken steps to mitigate those threats; and have a plan for dealing with successful attacks. 

William B. Wilhelm (News - Alert) is a partner and Jeffrey R. Strenkowski is counsel at the global law firm of Bingham McCutchen LLP (

Edited by Maurice Nagle