The FTC released their National Institute of Standards and Technology (NIST) framework for security back in February of 2014, after a 2013 executive order that required certain agencies and companies to improve their cyber security. Since then, the NIST framework has become something of a de facto standard in many ways, even when people don’t realize it. Of course, the framework itself wasn’t entirely original in what it recommended, but it did give it some official weight.
Whether operating in a highly sensitive situation, or just working in digital marketing, however, cyber security is extremely important. Following the main guidelines of the framework can help to avoid a lot of problems. For those not familiar, the framework encourages people to go through the steps of Identify, Protect, Detect, Respond, and Recover when any type of cyber threat emerges. It also provides details on how these steps should take place. For those interested, the full NIST framework can be found HERE.
The question a growing number of people have been having related to this framework is whether or not they are required to comply.
With that in mind, the FTC has published a news post responding to that question. To sum up the answer, the FTC says that the framework is not something that any company can or must comply with in the normal sense of the word. Instead, they simply lay out best practices to help people in any industry.
That being said, the FTC does use this framework as a backdrop for evaluating any cyber security related actions they are taking.
While the post made by the FTC doesn’t directly answer the question on whether or not people are required to follow it, it does remind people that the framework can serve as a valuable reference point for developing and implementing a strategy related to cyber security. No matter what type of business you are in, this is extremely important today and will become more important as time goes by.
You can read the full post from the FTC HERE.