The National Institute of Standards and Technology (NIST) recently released the final “Framework for Improving Critical Infrastructure Cybersecurity.”  The Framework addresses procedures and processes for reducing cyber risks to critical infrastructure – which includes the transportation sector and pipeline systems.  These voluntary guidelines address existing global cybersecurity standards and practices and summarize cybersecurity activities common across critical infrastructure sectors.  The Framework was developed by NIST for the purpose of helping organizations to understand, communicate, and manage cyber risks, and is a key deliverable under Executive Order 13636 and Presidential Policy Directive 21 issued by President Obama on February 12, 2013.

In conjunction with issuance of the Framework, the Department of Homeland Security announced its Critical Infrastructure Cyber Community Voluntary Program (or “C Cubed” (C3) Voluntary Program).  On February 19, 2014, DHS hosted a webinar detailing the launch of the C3 Voluntary Program, in which it outlined that the key goals of the program are: (1) supporting cyber resiliency; (2) increasing use of the Framework; and (3) encouraging business management to consider cyber risks and issues as part of their respective business models.  DHS noted in particular the availability of the Cyber Resilience Review – a free, voluntary, non-technical assessment tool that organizations may access from DHS’s website to evaluate their operational resilience and cybersecurity practices.  During the coming year, the Agency will conduct outreach with critical infrastructure sectors, including pipelines, to seek feedback in developing guidance on how to implement the Framework.

Although adoption of the Framework and participation in the C3 Voluntary Program are both voluntary at this time, operators should nevertheless monitor the development of these initiatives going forward, as they may articulate best practices for managing cybersecurity risks.  Moreover, Executive Order 13636 directs sector-specific agencies to engage in a consultative process with DHS, the Office of Management and Budget, and the National Security Staff to review the Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. If these agencies deem current regulatory requirements to be insufficient, then they “shall propose prioritized, risk-based, efficient, and coordinated actions…” This process could lead to new cybersecurity regulations in various sectors.