Cryptography is the “technology used to store and transmit data in a particular form so it can only be read or processed by the intended recipient” and has been a hot topic for the National Institute of Standards and Technology (NIST) of late.  First, on March 31, 2016, NIST released the final version of its document outlining its process for developing cryptographic standards and guidelines, NIST Cryptographic Standards and Guidelines Development Process (NISTIR 7977).   Then on April 5, NIST published a Draft Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies (NIST SP 800-175), which is currently open for public comment.  Comments on NIST SP 800-175 must be submitted by May 9, 2016.

While NIST standards for implement cryptography will initially apply to non-national security federal agencies and their suppliers, NIST “considers its stakeholder community for cryptographic standards, guidelines, tools and metrics to be much broader.”  This serves as a reminder to private sector companies that enforcement agencies may ultimately apply NIST standards to private commercial conduct.  For example, the Department of Health and Human Services (HHS) directs healthcare providers to guidance promulgated by NIST–such as Advanced Encryption Standard (AES) encryption–as the providers’ regulatory obligation when it comes to protecting patient data.   In January of this year, the Federal Trade Commission fined Henry Schein Practice Solutions, Inc.–a dental practice management software provider–in the amount of $250,000 for advertising that its Dentrix G5 software “encrypted” patient data, despite knowledge that Dentrix G5 used a less complex method of data masking to protect patient data than AES.

With this in mind, NIST standards can help businesses stay ahead of their competition by establishing the best practices when it comes to data security.  For example, under NIST SP 800-175, “[e]very federal organization has (or should have) policies that address the information that they collect or create, including an Information Management Policy and an Information Security Policy. Organizations utilizing cryptography should also have a Key Management Policy.”

NIST has defined these policies as such:

Information Management Policy

  1. Specifies the information to be collected or created and how it is to be managed;
  2. Specifies the high-level goals for obtaining and using the information;
  3. Specifies the organizational management roles and responsibilities for the policy and establishes the authorization required for people performing these information-management duties;
  4. Specifies what categories of information need to be protected against unauthorized disclosure, modification or destruction; and
  5. Establishes the rules for authorizing one or more people to create policy and manage its implementation and use.

Information Security Policy

  1. Specifies the categories of information that are considered sensitive;
  2. Specifies the impact-level associated with the sensitive information;
  3. Specifies the current, anticipated, and potential threats to the information;
  4. Specifies how the necessary protection is to be obtained; and
  5. Specifies the rules for collecting, protecting and distributing the sensitive information.

Key Management Policy

Includes descriptions of the authorization and protection objectives and constraints that apply to the generation, distribution, accounting, storage, use, recovery and destruction of cryptographic keying material, and the cryptographic services to be provided (e.g., message authentication, digital signature, and encryption).

Conclusion

Businesses that store and transfer data need to stay apprised of NIST standards of today, as they may shape the commercial regulation of tomorrow.   For assistance with commenting on NIST standards, preparing internal cyber policies or developing other legal cyber strategies contact a Cyber lawyer today.