Cybersecurity Framework Useful, But Falls Short on Privacy


Today the National Institute of Standards and Technology (NIST) released its long-anticipated voluntary cybersecurity framework. In February 2013, President Obama called on NIST to develop the framework as part of an executive order to address cybersecurity risks in critical infrastructure. CDT released the following statement in response:

“The voluntary cybersecurity framework provides a number of useful guideposts for companies who want to better secure their data,” said Greg Nojeim, Director of CDT’s Project on Freedom, Security & Technology. “The framework will be useful to companies and their privacy officers, because it will remind them that processes should be put in place to deal with the privacy issues that arise in the cybersecurity context.”

“However, we are concerned that the privacy provisions in the framework were watered down from the original draft,” continued Nojeim. “We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended. As the framework is implemented, we are hopeful that such privacy protections are further developed and become standardized.”

“When it comes to securing private networks, the bottom line is that companies that go the extra mile in adopting strong privacy practices will be rewarded in the marketplace, because privacy and security are good for business,” said Nojeim.