An article in eCommerce Times offers a well-reasoned argument for why the NIST (National Institute of Standards and Technology) Cybersecurity Framework is the guiding force in shaping the United States’ federal cybersecurity strategy: NIST Risk-Assessment Framework Shapes Federal Cybersecurity Strategy You should read it — but only after you read the following explanation because it is a lot simpler.
The #1 reason why NIST Cybersecurity Framework is quickly becoming the standard that is being looked to (as opposed to, for example, ISO 27001) for companies doing business in the United States is because that is what the regulatory agencies are looking to. Consider the following:
- The US regulatory agencies (primarily the FTC and SEC) are the key driving force behind cybersecurity compliance among US companies, and this trend will increase in 2016 (for explanation, listen to podcast / read posts);
- The regulatory agencies, agencies of the US government, naturally use the NIST Cybersecurity Framework as the default standard that they compare companies against when determining whether their efforts were reasonable;
- These agency enforcement actions are creating most of the substantive “law” and guidance on cybersecurity compliance issues; thus,
- The development of much of the substantive law is based on the NIST Cybersecurity Framework.
EDIT: Thanks to @pjcoyle on Twitter, with assistance from @Aristot73, for pointing out to me how this post could be read as arguing that companies must either “comply” with NIST or they are negligent. That is not what I mean — what I mean is that of the “standards” that are out there, such as NIST, ISO 27001, etc., NIST is the one that the agencies and courts are looking to when they are being looked to.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.