The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,1 or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the auspices of the Critical Infrastructure Protection Program’s (CIPP) Public-Private Partnership.3
Although the NIST CsF provides an overarching framework for cyber resilience programs that can be adopted by virtually any organization in any industry, this flexibility is obtained through its lack of granularity. By not specifying the cybersecurity controls an organization should implement, organizations must analyze the risk from the use of information and information technology (IT) and design their own controls or select controls from a suitable control-based risk management framework, such as ISO/IEC 27001, NIST SP 800-53, and the HITRUST CSF.
The Healthcare Sector Cybersecurity Framework Implementation Guide describes how organizations can leverage the HITRUST risk management framework (RMF) – consisting of the HITRUST CSF, CSF Assurance Program and supporting methods and tools – to implement resilient cybersecurity programs that are consistent with and achieve the objectives specified by the NIST CsF.
- NIST (February 12, 2014). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. Gaithersburg, MD: Author. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
- Joint HPH Cybersecurity WG. (May 2016). Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1 Retrieved from https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.
- For more information on the CIPP, see the Webpage at https://www.dhs.gov/critical-infrastructure-protection-partnerships-and-information-sharing.