- Can risk be calculated based on a control’s maturity level?
- Do non-contextual impact ratings for controls provide any real value?
- How does the RMF fit into the NIST CsF?
- Why can’t I just adopt the NIST CsF without leveraging additional guidance or frameworks?
- What is the best approach for implementing the NIST CsF in the healthcare industry?
- If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST CsF?
- If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST CsF?
- Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
Thanks for your feedback.