From: JDSupra Business Advisor
Amy Conant, Stuart Nibley | K&L Gates LLP
Cybersecurity remains one of the most important and least understood issues of the day. Last week, the National Institute of Standards and Technology (NIST) hosted a workshop in Tampa, Florida, to receive private sector feedback on Version 1.0 of its Cybersecurity Framework (CSF), released on February 12, 2014. The purpose of the workshop, NIST advertised, was to gather input on users’ initial experiences with the framework “with a focus on resources to help organizations use the Framework more effectively and efficiently.” While certainly optimistic, the agenda might be too ambitious for the private sector, where awareness of the NIST standards remains low.
***
One of the biggest takeaways from the NIST workshop last week is that there is no such thing as being “CSF-compliant.” The NIST Framework is specifically designed not to be a checklist, and even states that it is “not a one-size-fits-all approach to managing cybersecurity risks for critical infrastructure,” because “organizations will continue to have unique risks… and how they implement the practices in the Framework will vary.” Although Government contractors must be aware of cybersecurity’s evolving regulatory landscape and should use the NIST Framework accordingly, the takeaway from Tampa is clear: use the NIST Framework, but tailor implementation to your company’s own unique risks and needs… and watch for incorporation of the NIST Framework into Government contracts as mandatory requirements.
Leave a Reply