You might ask yourself: "The NIST Cybersecurity Framework is just a voluntary standard... right? I mean, there's no law making it mandatory. Quite to the contrary, President Obama's Executive Order 13636, which commissioned the framework, contemplated something voluntary. So surely the Framework really is just voluntary. Right?"
You'd be right to ask that question. But after today, the NIST Framework feels just a little bit more mandatory than it did before. Because today, the FTC published a lengthy blog post highlighting how the NIST Cybersecurity Framework is "consistent" with the FTC's own expectations for how companies will handle cybersecurity. I guess that doesn't mean you absolutely have to follow the Framework. There's certainly nothing in the FTC's announcement that expressly says "hey, this is mandatory". But it's hard to read guidance littered with references to past enforcement actions and not feel at least a little bit of obligation.
So you might ask yourself, "How did I get here?"
Congress has never given the FTC any cybersecurity authority per se. (Putting aside Gramm-Leach-Bliley, which is specific to just certain financial businesses.) Instead, the story starts with Section 5 of the Federal Trade Commission Act, which gives the FTC power to regulate unfair and deceptive practices. In cases like the seminal Wyndham action, the FTC used Section 5 to punish companies who had claimed that they protected consumers' data zealously but in fact fell down on the job (or so says the FTC). The thrust of these FTC actions was about deceptive practices. But there was more than a hint in these decisions that the FTC also claimed authority to regulate cybersecurity itself—what companies do about cybersecurity and not just what they say about it. The FTC eventually synthesized its views from these cases into the Start with Security guide. Today's announcement goes further. The FTC now takes the position that the NIST Cybersecurity Framework is "consistent" with its own approach in Start with Security. And since the NIST Cybersecurity Framework is fundamentally about what companies do with cybersecurity rather than what they say, it feels an awful lot like the FTC is actually adopting cybersecurity regulations.
We often get the question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?” From the perspective of the staff of the Federal Trade Commission, NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s, the 60+ law enforcement actions the FTC has brought to date, and the agency’s educational messages to companies, including its recent Start with Security guidance.