Pillsbury Winthrop Shaw Pittman

National cybersecurity framework released — has your organisation considered the implications?

By Catherine D Meyer, Meighan E O’Reardon, Deborah S Thoren-Peden and Amy L Pierce

On 12 February 2014, the National Institute of Standards and Technology (NIST) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The final version is the result of a year-long development process that included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticised as being overly prescriptive and costly to implement in favour of a more general set of recommended privacy practices that should be ‘considered’ by companies.

The cybersecurity framework marks an important step for US cybersecurity policy after an executive order from the Obama administration called for its creation in February 2013. While use of the cybersecurity framework is voluntary, the federal government has been actively exploring various measures to incentivise participation both universally and on a sector-by-sector basis. While the framework is focused on the 16 sectors identified as critical infrastructure, companies outside those areas can use the framework in their risk assessment and enterprise security planning.

The cybersecurity framework is a risk management tool to assist companies with assessing the risk of cyber attack, protecting against attack and detecting intrusions as they occur. According to NIST, it complements, but does not replace, an organisation’s existing risk management processes and cybersecurity programme. It is organised into three parts — the Framework Core, the Framework Implementation Tiers and the Framework Profile. The framework was developed by leveraging existing cybersecurity standards, guidelines and practices. Organisations are encouraged to use it as a tool to continuously assess and improve (where appropriate) cybersecurity practices…

Click on the link below to read the rest of the Pillsbury briefing. 

Sign in or Register to continue reading this article

Sign in


It's quick, easy and free!

It takes just 5 minutes to register. Answer a few simple questions and once completed you’ll have instant access.

Register now

Why register to The Lawyer


Industry insight

In-depth, expert analysis into the stories behind the headlines from our leading team of journalists.


Market intelligence

Identify the major players and business opportunities within a particular region through our series of free, special reports.


Email newsletters

Receive your pick of The Lawyer's daily and weekly email newsletters, tailored by practice area, region and job function.

More relevant to you

To continue providing the best analysis, insight and news across the legal market we are collecting some information about who you are, what you do and where you work to improve The Lawyer and make it more relevant to you.


Tower 42, Level 23
25 Old Broad Street