With the May 25, 2018 deadline quickly approaching, many businesses are scrambling to prepare for compliance with the EU’s General Data Protection Regulation (GDPR), and questions and conversations are heating up.  Still others are still trying to wrap their arms around what GDPR is and what it means for U.S. businesses.  For those of you still trying to wrap your heads around it, below are a few basics to help familiarize yourself with the regulation and its relevance to you.

  1. I’m a U.S. business. Why does GDPR matter to me?

The reach of the GDPR regulation extends not only to European-based businesses, but also to all companies that do business, have customers, or collect data from people in the EU.  If you even have a website that could collect data from someone visiting the site from the EU, your business could be affected. No matter where your business resides, if you intentionally offer goods or services to the European Union, or monitor the behavior of individuals within the EU, the GPDR could be applicable.

  1. What’s the risk?

In addition to the PR or brand risk of being associated with noncompliance, GDPR provides for some pretty significant monetary penalties .  Some violations are subject to fines up to 10 million EUR or up to 2% of global annual turnover, whichever is greater.  For other violations, it is double – up to 20 million euros or 4% of your global annual turnover, whichever is greater.  For large businesses, this could be a substantial amount.

  1. What should I be doing?

First, talk with your general counsel or outside law firm.  They can help you interpret the law, review contractual obligations and assess the company’s overall privacy policies to help guide your compliance strategy going forward.  They can also help create defensible interpretations within certain ambiguous language in the regulation (e.g., what is “personal data” for purposes of the GDPR?).  The Article 29 Working Party, made up of the data protection authorities (DPAs) from all EU member states, has published guidance to clarify certain provisions, which can be helpful during this process.

Second, create a cross-functional team including areas including (but not limited to): communications/PR, IT, customer experience, digital, legal and operations.  This may be fairly similar to any cross-functional teams you may have (and hopefully have) already established to prepare for data breaches.  This team can begin designing and implementing a compliance strategy.  Under certain conditions, your business may need to appoint a Data Protection Officer (DPO) (See Articles 29 and 30).

  1. What are some key points of the GDPR?

GDPR is a data privacy regulation in the EU that is aimed at protecting users’ rights and privacy online.  It requires business to assess what kinds of data they’re collecting and to make that data accessible to users.  The regulation is long and complex with several moving parts, but four key points may be worth noting.

Key Definitions:  You will see several references to controllers, data subjects, personal data, and processing.  This vocabulary may be unfamiliar in relation to U.S. law, but here is how these key terms are defined – as a business subject to GDPR, you may be a “controller” or you may be a “processor”.  The individual is the “data subject”:

  • “Controller” = “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
  • “Processor” = “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
  • “Data subject”= “an identified or identifiable natural person (see definition of “personal data” above).”
  • “Personal data” = “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
  • “Processing” = “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
  1. Some Key Articles/Provisions:

Article 12Transparent information, communication and modalities for the exercise of the rights of the data subject.

This article creates rules around how users give consent to record their data.  The data subject must be provided with accurate information on all relevant issues, such as the kind of data to be collected or process, and for what purposes. For some particularly sensitive data, (e.g., political opinion, religion, biometric data (including photographs), health data, etc.), consent must be “explicit”.   Consent must be “freely given”, meaning that the user has a “genuine” choice and be able to withdraw consent “without detriment”.  The data subject cannot be obliged to consent to data processing that is not necessary to provide the service he or she has requested.

For these reasons, the traditional “notice and consent” may not be sufficient, and actionable forms or buttons may be necessary.  “Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent.  Recital 32 of the GDPR notes that an affirmative action signaling consent may include ticking a box on a website, “choosing technical settings for information society services”, or “another statement or conduct” that clearly indicates assent to the processing.  “Silence, pre-ticked boxes, or inactivity” however, is presumed inadequate.  For those reaching European citizens digitally, working with IT or UX experts may prove important to create a seamless, but compliant, experience.

Article 17Right to erasure

The “right to be forgotten” means that businesses must be able to remove data on a user at their “without undue delay”.  Further, the businesses have an obligation to erase personal data “without undue delay” under certain additional circumstances.

Article 20. Right to data portability.

Users have the right to receive any data that a business may have on them the firm must provide such data in a “structured, commonly used and machine-readable format”.  Further, the data subject has the right to transmit such data to another business without being hindered by the business that provide the data where the processing is either (a) based on certain consents or (b) carried out by automated means.  Where technically feasible, the data subject also has the right to have the personal data transmitted directly from one controller to another.

Article 8. Conditions applicable to child’s consent in relation to information society services.

Article 8 limits the ability of children to consent to data processing without parental authorization.  Previous drafts of the GDPR had set the age of consent at 13 years old, which would have been consistent with the age set by the United States’ Children’s Online Privacy and Protection Act (“COPPA”). A last-minute proposal aimed  to raise the age of consent to 16 years old.  In the final draft, the age of consent is set at 16 unless a member state sets a lower age no below 13 years.  Thus, unless otherwise provided by member state law, controllers must obtain parental consent when processing the personal data of a child under the age of 16. With the difference between the U.S. age of consent under COPPA set at 13 (COPPA) and the European age of consent under the GDPR set at 16 (unless otherwise lowered by a member state), this could present some challenges for U.S. businesses offering international services.

Article 32.  Security of Processing.

Firms must follow security best practices across the board when collecting and protecting data. This may include, but isn’t limited to, specific password policies, information security frameworks (e.g., NIST, ISO, COBIT/ISACA, SSAE, etc.), and data encryption.

  1. What Else Should I Know?

If you believe your business might be affected, you should already be familiarizing yourself with the GDPR regulations and be well into your compliance plan.  The above summary is a sampling of key points and not a comprehensive analysis,, which should be undertaken to better understand your compliance obligations.  You should also be aware of the ePrivacy Regulation which will be following on the heels of the GDPR.

Whereas the GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.  There is some obvious overlap here, but the ePrivacy Regulation is intended to particularize GDPR for electronic communications — devices, processing techniques, storage, browsers etc.  The laws are intended to be in sync, but the ePrivacy regulations are still up in the air — optimistically forecasted to be finally approved by the end of 2018, although the implementation date remains to be seen.  In sum, GDPR compliance is all you can focus on right now, and hopefully GDPR compliance should position your business well for any additional compliance obligations that could subsequently arise from the finalized ePrivacy Regulation.

On December 5, 2017, NIST published a revised version of the NIST Cybersecurity Framework (i.e., Draft 2 of Version 1.1) (“Framework”).  According to NIST, Version 1.1 of the Framework refines, clarifies, and enhances Version 1.0 of the Framework issued in February 2014, and the recently published Draft 2 of Version 1.1 is informed by over 120 comments on the first draft proposed in January 10, 2017, as well as comments and discussion by attendees at NIST’s workshop in May 2017.

Among the various revisions, they include revisions intended to: (1) clarify and revise cybersecurity measurement language; (2) clarify the use of the Framework to manage cybersecurity within supply chains; (3) better account for authorization, authentication, and identity proofing; (4) better consider coordinated vulnerability disclosure, including the addition of a subcategory related to the vulnerability disclosure lifecycle; and (5) remove statements related to federal applicability in light of various intervening policies and guidance (e.g., Executive Order 13800, OMG Memorandum M-17-25, and Draft NIST Interagency Report (NISTIR) 8170) on federal use of the Framework.

NIST seeks public comment on the following questions by January 19, 2018:

  • Do the revisions in Version 1.1 Draft 2 reflect the changes in the current cybersecurity ecosystem (threats, vulnerabilities, risks, practices, technological approaches), including those developments in the Roadmap items?
  • For those using Version 1.0, would the proposed changes affect their current use of the Framework? If so, how?
  • For those not currently using Version 1.0, would the proposed changes affect their decision about using the Framework? If so, how?

Feedback and comments should be directed to cyberframework@nist.gov.

To view a markup (.pdf) of the revised draft Framework, click here.

To view a clean version (.pdf) of the revised draft Framework, click here.

To view the draft roadmap (.pdf), click here.

To view the draft Framework Core (.xls), click here.

On November 15, 2017, the Trump administration released the Vulnerabilities Equities Policy and Process. This document describes the process by which U.S. agencies and departments determine whether to disclose or restrict information on vulnerabilities in information systems and technologies. The Vulnerabilities Equities Process (VEP) balances whether to disclose vulnerability information to the vendor or supplier in the expectation that the vulnerability will be fixed or to temporarily restrict disclosure of the information so that it can be used for national security and/or law enforcement purposes.

The Equities Review Board (ERB), consisting of individuals from numerous agencies, functions as the forum for interagency deliberation and determination concerning the VEP. The National Security Agency will function as the VEP Executive Secretariat. The VEP Executive Secretariat will oversee communications, documentation and recordkeeping for the VEP. The VEP Executive Secretariat will also publish a report of unclassified information on an annual basis.

The VEP provides steps for submitting and reviewing identified vulnerabilities:

  • When an agency determines that a vulnerability reaches the threshold for entry into the VEP, it will notify the VEP Executive Secretariat and provide a recommendation for disclosure or restriction of the vulnerability.
  • The VEP Executive Secretariat will provide notice to all agencies of the ERB and request agencies to respond if they have a strong interest (i.e., “equity”) in the vulnerability. Any agencies with a strong interest in the vulnerability must concur or disagree with the recommendation.
  • The ERB will then reach a consensus on whether or not to disclose or restrict the vulnerability

To view the VEP Charter, click here.

To view the fact sheet, click here.

If you’ve seen the news, you’re probably aware that Equifax announced last week that hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143,000,000 consumers.  If you believe you may be affected by the breach, or are wondering what to do about it, read below for: (A) a brief background of the breach and mitigating efforts, as well as: (B) 5 basic steps to take that may improve your chances of protecting yourself from identity theft as a result of the breach.

A. Background: Equifax Breach

The scope of data includes names, social security numbers, birth dates, addresses, and driver’s licenses.  The incident may have also compromised credit card numbers for 209,000 U.S. consumers, and other “dispute documents” that contained identifying information for 182,000 consumers.  On July 29, the company discovered the intrusion, which began in mid-May and continued through July.  More information can be found in a video statement by CEO, Rick Smith.  To support consumers, Equifax has beefed up its call centers and is directing consumers to a specific Equifax’s website, where they can type in their last name and the last 6 digits of their social security number to see if they are impacted; they also have the option to enroll in its “TrustedID Premier” service. Normally costing $19.95 a month, Equifax is offering this “comprehensive package of ID theft protection and credit monitoring at no cost.”

Criticisms.  Some debate currently exists about whether consumers should sign up for this product on the Equifax website, and various criticisms are being blasted on social media and elsewhere over the way in which Equifax is handling the breach:

  • Some have specifically criticized the nature of Equifax’s help, asserting that (a) consumers may be giving up some rights to sue the company if they signed up for its credit monitoring services, and (b) while companies do offer an opt out provision, consumers must do so in writing within 30 days of accepting the services, which the CFPB has pushed back against.
  • One Ars Technica article even criticizes the security of the Equifax website itself, which encourages you to type in your last name and the last 6 digits of your social security number to see if you’ve been impacted. According ot the article, “it runs on a stock installation WordPress … that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
  • Some criticize free credit card monitoring as simply a Band-Aid, like treating the symptom instead of the underlying disease.
  • Other criticisms range from the Equifax’s delay (five weeks) before announcing to sale of shared by top executives shortly after the July 29 discovery of the breach.

Response.  Contrary to some of these assertions and several social media posts, Equifax has clarified on its website that consumers signing up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of Trusted ID Premier. Equifax also subsequently clarified in its FAQs that enrolling in the free credit file monitoring and ID theft protection associated with this cybersecurity incident does not waive any rights to take legal action.

B. Now What Do I Do?

Perhaps you are concerned that your information may have been compromised.  Perhaps you even went on the Equifax website and were told that your information “may have been impacted”. As you weigh the pros and cons of enrolling in Equifax’s TrustedID Premier product, or entering your information to see whether you may have been impacted, here are some additional steps you can take to protect yourself:

  1. Check your credit reports. Through this website, you can check your credit reports once a year – for free – from each of the 3 major credit reporting agencies, Equifax, Experian, and TransUnion. Accounts or activity that you do not recognize could indicate identity theft.
  2. Consider placing a credit freeze on your files. While it may not prevent an identity thief from making charges to existing accounts, placing a credit freeze on your file could make it harder for someone to open a new account in your name. A freeze will remain in place until you request it to be removed or temporarily lifted, which can take up to 3 business days.  Note that if you plan on opening a new account, applying for a job, renting an apartment or buying insurance in the near future, you will need to either remove the freeze or lift it temporarily for a specific time or specific party (e.g., potential landlord, employer, etc.). Check with your credit reporting company for the costs and lead times associated with temporarily lifting a freeze. If you coordinate with the party, you can find out which company they are contacting, and simply lift the freeze for that company instead of all three.
  3. Alternatively, if someone has misused your information, place a fraud alert. While a credit freeze locks down your credit, a fraud alert allows creditors to access your report as long as they take steps to verify your identify.  For instance, if you provide a phone number, the business must call you to verify you are the person making the credit requests. This may prevent someone from opening new credit accounts in your name, but won’t prevent the misuse of your existing accounts (i.e., bank, credit card, insurance statements), which you should still monitor for any indications of fraudulent transactions. You must only ask one of the three credit reporting companies to put a fraud alert on your report – they will contact the other two.  Fraud alerts are free, but require you to provide proof of your identity. They can vary from: (a) initial fraud alert (90 days, but can be renewed), (b) extended fraud alert (7 years) and (c) active duty military alert (protecting the military while deployed for one year).
  4. Monitor your existing credit card and bank accounts closely. As stated above, credit freezes and fraud alerts help prevent the opening of new accounts using your information, but they may not prevent misuse of your existing accounts. For the next couple of months, put a note in your calendar to sit down and go through each bank and credit statements to monitor for any charges you do not recognize.
  5. File your taxes early. Tax identity theft can occur when someone uses your Social Security number to get a tax refund or a job.  You may recall in 2015, when hackers obtained sensitive information and then used the data to authenticate themselves to the IRS Get Transcript application and receive tax record belong to approx. 724,000 tax filers. More recently, the IRS announced the compromise of an online tool used to fill out FAFSA student loan applications. By filing your taxes as soon as you have the tax information you need, you can help to prevent a scammer from doing so. Respond to any letters from the IRS right away.

Contact Information for the Three Credit Reporting Companies:

  1. TransUnion — 1-800-680-7289
  2. Experian — 1-888-397-3742
  3. Equifax — 1-888-766-0008

On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

On January 10, 2017, NIST issued an update to the NIST Cybersecurity Framework (v.1.1).  After reviewing public comment and convening a workshop, NIST intends to publish a final version of this Version 1.1 in the fall of 2017.

Key updates the framework include:

  • Metrics.  A new section 4.0 on Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.
  • Supply Chain.  A greatly expanded explanation of using the framework for supply chain risk management purposes.
  • Authentication, Authorization and Identify Proofing.  Refinements to the language of the Access Control category to account for authentication, authorization, and identify proofing.  A subcategory has been added, and the Category has been renamed to “Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding subcategories.
  • Explanation of Relationship between Implementation Tiers and Profiles.  Adds language on using Framework Tiers in Framework implementation, to reflect integration of Framework considerations within organizational risk management programs, and to update Figure 2.0 to include actions from the Framework Tiers.

More detail on the changes can be found in Appendix D.  NIST seeks public comment on the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than “version 1.1” for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

A redline version of the framework can be found by clicking here.  A clean version of the Framework may be found by clicking here.