In February 2021, the National Institute of Standards and Technology ("NIST"), which is a subdivision of the Department of Commerce in the United States Government, announced its nine priorities for the coming year.
While its guidance is voluntary, businesses would be well advised to follow NIST's lead, as it has become the gold standard for general Privacy and Data Security compliance in the United States.
Whether business leaders want to keep their regulators unconcerned, their clients happy, or their brand strong with regard to Privacy and Data Security, they'll need to know about NIST's new focuses.
Enhancing Cybersecurity Risk Management
NIST's first priority will be enhancing risk management, and there is a reason this is likely first: there is expected to be a lot of action in this space in 2021 based on recent events. NIST calling attention to enhancing risk management follows John Katko's, Ranking Member of the House of Representatives Homeland Security Committee, call to revamp federal procurement and the government's approach to cybersecurity in the wake of the foreign espionage activity that breached government systems via a third party software provider serving as part of the federal government's overall technology supply chain. Another separate but similar breach has also been discovered—this one likely orchestrated by malicious actors associated with a different foreign government.
Recognizing the political appetite for supply chain risk reforms and the necessity to avoid such cybersecurity breaches in the future, NIST is opening its Cybersecurity Framework for public comment and is proposing revisions to its Supply Chain Risk Management in Federal Information Systems and Organizations publication.
Businesses that participate (or want to participate) in procurement contracts with the United States Government should be proactive in both commenting on the NIST Cybersecurity Framework and begin adjusting and aligning their technology supply chain operations to NIST standards.
Doubling Down on Privacy
NIST will also be redoubling their focus on Privacy. In 2020, NIST published its Privacy Framework to complement and supplement the NIST Cybersecurity Framework. While the Cybersecurity Framework sets standards to prevent unauthorized access to information, the Privacy Framework addresses standards for the appropriate use and processing of that information. NIST recently released a crosswalk between the Privacy Framework and the California Consumer Protection Act.
The NIST Privacy Framework, like the Cybersecurity Framework, provides voluntary, self-regulatory suggestions and guidance regarding Privacy and Data Security. However, notably, the guidance is increasingly being incorporated into corporate contracts and other laws (e.g., the Federal Trade Commission looking favorably on the Cybersecurity Framework when assessing whether an organization had unreasonably weak cybersecurity protections).
Cryptographic Standards
NIST plans to further strengthen cryptographic standards and validation, our everyday encryption technology. These standards are incredibly important as they ensure the protection of valuable information and can, in most instances, help avoid triggering the notification requirements under most state data breach statutes.
Awareness
NIST will also focus on cybersecurity awareness, training, and education. This is crucially important and one of the areas that can lead to significant liability and public relations disasters when not handled correctly. An example is the Equifax hack in 2017 that affected the sensitive personal data of individuals spanning multiple countries. Nearly half of the total US population was affected, and the total cost of the breach was over $1.7 billion. The cause—according to the (former) CEO of Equifax when testifying before Congress—of Equifax's security program failing was an individual employee in the technology department failing to "heed security warnings." This is an extreme example, but it puts a spotlight on the danger of employees—whether from ignorance or malice—not acting in compliance with the business's Privacy and Data Security Policies.
Following NIST's advancements in cybersecurity awareness, training, education, and workforce development will likely weigh heavily in favor of allowing a business to mitigate and minimize potential legal repercussions while also protecting important business and consumer information.
Metrics
NIST will be improving the metrics and measurements around cybersecurity and privacy. NIST's efforts in these areas will help cross-disciplinary teams "speak the same language" and create a common dialogue that will improve policy compliance. Unfortunately, the silos of business operations can create scenarios in which professionals use similar words, but apply them with different concepts and meanings (e.g., authorized, incident, breach), resulting in inadvertent noncompliance or triggering of legal requirements. The development of these standards can help a business improve efficiency and effectiveness at the enterprise level.
Access Management
Identity and Access Management will take additional prominence in NIST's guidance given current threats and recent events. Responding to needs felt during the COVID-19 pandemic, NIST will be providing guidance on identity and access management with an emphasis on remote work.
Trustworthy Networks and Platforms
NIST will be focusing on developing methods for determining trustworthy networks and trustworthy platforms. The introduction of the fifth generation of wireless connectivity (5G) and the ever-present and growing Internet of Things industry has accelerated the need for Privacy and Data Security best practices around ascertaining and evaluating a system or platform's trustworthiness.
Emerging Technology
NIST will continue to focus on providing guidance around securing emerging technologies. Organizations seeking to be at the forefront of technology and proactive in its approach to Privacy and Data Security should start by reviewing the technological challenges catching NIST's attention.
NIST Limitations
It is important, however, to note that NIST is not the be-all-and-end-all of Privacy and Data Security. Regulated industries, such as Healthcare, Finance, or Education, may have their own sector-specific requirements. State governments each have their own privacy and data security regulations which are not obligated to give deference to NIST—though it is common for them to do so—which is why NIST standards are so often utilized by businesses operating in multiple states. Any business with an international footprint is likely subject to international regulatory regimes not accounted for in the NIST standards.
