By Catlin Meade and Jenny Martin
On August 31, 2016 the FTC posted a blog addressing whether compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) necessarily constitutes compliance with FTC cybersecurity practices.
The FTC answers this question with a resounding “No” and specifically states: “there’s really no such thing as ‘complying with the Framework’” because the “[t]he Framework is not, and isn’t intended to be, a standard or checklist.” The FTC further explains that the Framework does not provide a one-size-fits-all checklist of security practices; rather, it provides an organized approach and broad guidance, collected from a variety of existing industry standards, guidelines, and best practices, for organizations to follow to identify and manage cyber risk.
For background, the Framework, which was published in February 2014, was developed in response to Executive Order 13,636, “Improving Critical Infrastructure Cybersecurity,” which called for a common, voluntary risk-based methodology for implementing sound and adaptable cybersecurity practices within critical infrastructure sectors. The Framework’s Core identifies a set of five “functions” – identify, protect, detect, respond, recover – that mirror a risk-management lifecycle. Under each of these core functions, the Framework specifies “categories” of practices and mechanisms for organizations to consider in managing their cyber risk. The purpose of the Framework is to strengthen the resilience of the nation’s critical infrastructure by providing to all organizations the tools and taxonomy to create a risk-based cybersecurity program.
In contrast to the Framework’s voluntary nature, the FTC has, through its Section 5 of the FTC Act enforcement actions, emphasized cybersecurity practices targeted at preventing deceptive and unfair business practices. Those practices have been communicated through the FTC’s published enforcement actions, business outreach, and consumer education. The FTC expects organizations to comply with these practices, and this recent blog post highlights that using and applying the Framework does not constitute compliance with the FTC’s cybersecurity practices, but may help organizations avoid failures that have led to previous FTC enforcement actions.
To further assist organizations with complying with its cybersecurity practices, the FTC’s August 31 blog has listed specific practices that—through its enforcement actions—it has previously identified as components of a “reasonable” security program, and correlated those practices to the core functions and categories described in the Framework.