Like most people, I took the fact that the NIST Cybersecurity Framework (NCsF) is characterized as a “voluntary” program to be a true statement. Of course, my suspicious side expected that over the next few years it would evolve to be a mandatory program—perhaps sooner if we were unlucky enough to have a dramatically impactful cyber incident to our critical infrastructure (CI). But two interesting meetings last week changed my perspective notably.
The first was a cyber liability presentation that I gave to an insurance fund that provides comprehensive insurance protection to a sizeable percentage of this particular state’s municipalities. Some of the members in attendance were “Municipal Utility Districts” (MUDs), which are covered by the Cybersecurity Framework because the electricity, gas, sewage treatment, or water related assets they maintain are considered CI. When I referred to the standard as voluntary in my presentation, several attendees immediately spoke up. Both of the MUDs in attendance reported that their attorneys had advised them that they should consider the standard to be “mandatory” because, if the MUD’s cybersecurity practices were ever questioned during litigation or a regulatory investigation, the “standard” for “due diligence” was now the NIST Cybersecurity Framework.
The second was a meeting with the “Board of Water Commissioners” for a water district that serves about 50,000 customers. I had been asked to attend to provide some feedback on the security design of a 900 Mhz smart meter network that they were planning to roll out. When the conversation turned to the NIST Cybersecurity Framework, I was a little surprised when the commissioners were adamant that they wanted us to ensure that the design would fully comply. It turns out that the Water District’s cyber liability insurance provider had already advised them that compliance with the standard was a requirement to maintaining their insurance.
So if you are responsible for one of the financial services, communications, critical manufacturing, defense industrial base, energy, emergency services, food/agriculture, healthcare, information technology, utilities, or transportation systems that the Cyber Security Framework apply to, I’d advise you to check with your attorney and insurance agent: “voluntary” might actually mean “mandatory” for your organization, too.