National Institute of Standards and Technology

Subscribe to National Institute of Standards and Technology via RSS

On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.

At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.

However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.Continue Reading The Cyber Regulation Drops

The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The Model Law was first released in April of this year and received over 40 comments from trade associations, market participants and regulators. This week, at the NAIC National Summer Meeting, the Task Force met with interested parties to discuss comments on this new draft and written comments to the Model Law may be submitted by September 16, 2016.
Continue Reading NAIC Released Draft of Revised Insurance Data Security Model Law for Review

The National Institute of Standards and Technology (NIST) developed and issued its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) in response to a 2013 Executive Order in February of 2014. It was developed in collaboration with industry, academia and state and federal government officials. It has been widely praised and used as a valuable

On September 18, 2015, the National Institute of Standards and Technology (NIST) issued its draft Framework for Cyber-Physical Systems (CPS), which is “intended to provide a methodology for understanding, designing and building CPS including those  with multiple applications.” CPS are smart systems that interact between physical and computational components. These interconnected and integrated systems “can

An interagency working group led by The National Institute of Standards and Technology (NIST) and The Department of Commerce recently published a draft report (the Report) recommending that the U.S. government increase its efforts to develop international cybersecurity standards by coordinating with other governments and the private sector.

Historically, U.S. standard setting efforts have been