The #1 Reason NIST Cybersecurity Framework is Becoming the Standard

Posted byShawn E. Tuma Leave a comment on The #1 Reason NIST Cybersecurity Framework is Becoming the Standard

NIST-logoAn article in eCommerce Times offers a well-reasoned argument for why the NIST (National Institute of Standards and Technology) Cybersecurity Framework is the guiding force in shaping the United States’ federal cybersecurity strategy: NIST Risk-Assessment Framework Shapes Federal Cybersecurity Strategy You should read it — but only after you read the following explanation because it is a lot simpler. 

The #1 reason why NIST Cybersecurity Framework is quickly becoming the standard that is being looked to (as opposed to, for example, ISO 27001) for companies doing business in the United States is because that is what the regulatory agencies are looking to. Consider the following:

  1. The US regulatory agencies (primarily the FTC and SEC) are the key driving force behind cybersecurity compliance among US companies, and this trend will increase in 2016 (for explanation, listen to podcast / read posts);
  2. The regulatory agencies, agencies of the US government, naturally use the NIST Cybersecurity Framework as the default standard that they compare companies against when determining whether their efforts were reasonable;
  3. These agency enforcement actions are creating most of the substantive “law” and guidance on cybersecurity compliance issues; thus,
  4. The development of much of the substantive law is based on the NIST Cybersecurity Framework.

EDIT: Thanks to @pjcoyle on Twitter, with assistance from @Aristot73, for pointing out to me how this post could be read as arguing that companies must either “comply” with NIST or they are negligent. That is not what I mean — what I mean is that of the “standards” that are out there, such as NIST, ISO 27001, etc., NIST is the one that the agencies and courts are looking to when they are being looked to. 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading