To implement President Obama’s cybersecurity initiative, the National Institute of Standards and Technology (“NIST”) has issued a Request for Information (“RFI”) as part of its effort to create a set of industry best practices to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). This RFI offers industry its first significant opportunity to provide input on cybersecurity policies and procedures and the impact of additional regulatory obligations. Responses to the RFI are due by April 8, 2013.

The February 12, 2013 Executive Order and Presidential Policy Directive on cybersecurity have tasked NIST with creating the Cybersecurity Framework. When fully implemented, the Executive Order and Presidential Policy Directive could impose significant new regulatory burdens on owners of terrestrial wireless and wireline, undersea cable, and satellite networks. (The fact that the European Union recently adopted its Cybersecurity Strategy proposing risk management requirements will create pressure for a harmonized set of requirements for critical infrastructure providers that seek to offer services in both markets.) In the RFI, NIST makes a series of very broad information requests intended to identify cross sector security best practices, standards, and guidelines applicable to critical infrastructure; to encourage their adoption; and to identify areas for improvement. In particular, NIST requests information in the following areas:

Current Risk Management Practices:

  • Policies and procedures currently in use to define, assess, or otherwise address cybersecurity risks;
  • Standards, guidelines, and best practices currently available to address risks and the role these standards should play in assessing conformity of cybersecurity measures;
  • Current local, state, national, and international cybersecurity regulatory and reporting obligations; and
  • Interconnections among different types of critical physical and information infrastructure.

Use of Frameworks, Standards, Guidelines, and Best Practices:

  • Policy or other documents developed by international, national, and state governments; industry; and non-government organizations currently applicable to cybersecurity needs and list of sectors/organizations currently using these approaches;
  • Limitations of the current approaches and suggestions for modification; and
  • Whether sector-specific standards development or a voluntary program should accompany existing frameworks and suggestions as to what relevant U.S. government agencies can do to foster their adoption.

Specific Industry Practices: NIST seeks information about the following specific industry practices: (1) separation of business from operational systems; (2) use of encryption and key management; (3) identification and authorization of users accessing systems; (4) asset identification and management; (5) monitoring and incident detection tools and capabilities; (6) incident handling policies and procedures; (7) mission/system resiliency practices; (8) security engineering practices; and (9) privacy and civil liberties protection. With respect to these specific practices, NIST asks:

  • Which practices are widely used and which will be most difficult to implement;
  • How the specific practices relate to existing standards and guidelines;
  • Which practices are most critical and which might not apply to certain sectors; and
  • How organizations can manage risks to privacy and civil liberties arising out of the specific practices.

While threatening to impose significant new regulatory burdens on communications networks, the RFI and Cybersecurity Framework have also created significant regulatory uncertainty about defining and distinguishing between “virtual” and “physical” infrastructure, and could well introduce tension into the commercial relationships between infrastructure owners and providers of so-called “over-the-top” services. The RFI provides a significant opportunity for industry to minimize regulatory burdens by providing input on the implementation of cybersecurity requirements.

During the Cybersecurity Framework development process, NIST will solicit information from interested stakeholders, including critical infrastructure owners and operators, agencies, state and local governments, and others, not just through the solicitation of comments, but also through outreach events and workshops. NIST will hold its first stakeholder meeting on April 3, 2013 at its headquarters in Gaithersburg, Maryland.

Responses to the RFI must be filed by 5:00 p.m. Eastern time on April 8, 2013. NIST intends to publish a draft Cybersecurity Framework within eight months.

* * *

For assistance commenting on the NIST RFI or participating in NIST stakeholder outreach, or more information regarding Wiltshire & Grannis’s cybersecurity practice, please contact Kent Bressie at +1 202 730 1337 or [email protected], Tricia Paoletta at +1 202 730 1314 or [email protected], or Madeleine Findley at +1 202 730 1304 or [email protected].

This advisory is not intended to convey legal advice. It is circulated to W&G clients and friends as a convenience and is not intended to reflect or create an attorney-client relationship as to its subject matter.

Share This Story, Choose Your Platform!

Categories: State of the Industry

Related Posts

Seabed mining risks damaging subsea cables and the environment. The U.S. not joining UNCLOS leaves it out of regulatory decisions.

Deep Seabed Mining Threatens Global Subsea Cable Network

Friday, 12 Jul, 2024
A cable ship in the Mediterranean has heightened tensions between Turkey and Greece, causing diplomatic friction over disputed waters.

Cable Ship Raises Tensions Between Turkey and Greece

Wednesday, 10 Jul, 2024
Nokia is set to buy optical networking biz Infinera in a $2.3 billion transaction, the companies have confirmed.

Nokia to Buy Infinera for $2.3B

Friday, 28 Jun, 2024
Nokia announces selling an 80% share of Nokia Submarine Networks Holding to the French State, streamlining its business portfolio.

Nokia Sells Majority Stake in Submarine Networks to French State

Thursday, 27 Jun, 2024
OMS Group signed a $292.5M agreement with top financial institutions to expand its global subsea telecommunications capabilities.

OMS Group Signs $292.5M Agreement for Global Expansion

Monday, 24 Jun, 2024
OMS Group obtained nearly $300 million to expand its cable ship fleet, enhancing subsea telecommunications capabilities.

OMS Group Secures $300 Million for Cable Ship Fleet Expansion

Friday, 21 Jun, 2024
Albert Vlodder wins the 2024 Rhodes Academy ICPC Submarine Cables Writing Award for a paper on legal issues related to submarine cable damage.

Albert Vlodder Wins Rhodes Academy ICPC Writing Award

Friday, 7 Jun, 2024
US officials warn Google and Meta that China-controlled repair ships may tamper with subsea cables, posing risks to US data security.

Google and Meta Warned of Chinese Espionage Risks

Monday, 20 May, 2024
The U.S. agency has settled investigations into América Móvil's undersea cable system, concluding a lengthy probe.

U.S. Agency Settles Probes Into América Móvil Cable System

Wednesday, 15 May, 2024
Indigo supports EU's recommendations for securing subsea infrastructure and advances its own cybersecurity services.

Indigo Welcomes EU's Call for Stronger Subsea Security

Wednesday, 15 May, 2024