In February 2014 the U.S. National Institute of Standards in Technology (‘NIST’) published the ﬁrst NIST Cybersecurity Framework, responding to an Executive Order on improving critical infrastructure cybersecurity issued by President Obama. At the end of last year, NIST released draft two of the Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, which incorporates feedback received by NIST since the release of Version 1.0.
While cybersecurity has become an obsession for business and government in the past decade, we are still adrift on selecting the standards needed to build an adequate cyber protection program. Many standards bodies have released proposals, and every profession from auditors to privacy officers propose their own certiﬁcations and methods of building secure data architecture.
And yet, no court case has ﬁrmly recognized any set of commercial data protection standards, and no regulatory entity has consistently held with a set of required behaviors, technologies, and procedures. We navigate this ocean without sextant or North Star.
THE NATIONAL LAW REVIEW, 04.20.2018