Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?
For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to achieve specific outcomes meant to help organizations manage their cybersecurity risk.
Specifically, the NIST Cybersecurity Framework provides a common language and mechanism to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improving the management of risk
- Assess progress toward the target state
- Foster communications among internal and external stakeholders
The NIST Cybersecurity Framework is intended to complement rather than replace an organization’s existing business or cybersecurity risk management process and cybersecurity program. Instead, organizations should use their current processes and leverage the framework to identify opportunities to improve their management of cybersecurity risk. Alternatively, an organization without an existing cybersecurity program can use the framework as a reference to establish one. In other words, the NIST Cybersecurity Framework provides an overarching set of guidelines to critical infrastructure industries to provide a minimal level of consistency as well as depth, breadth and rigor of industry’s cybersecurity programs.
These overarching guidelines are presented through the NIST Cybersecurity Framework Core, which provides the structure upon which a cybersecurity program may be built. The lowest level of the Core, the Subcategories, provides high-level requirements—essentially control objectives—that organizations should strive to implement. However, these Subcategories lack the prescription necessary for an organization to actually implement them, which is why NIST provides examples of controls from other, lower-level and generally more prescriptive frameworks such as ISO/IEC 27001:2013 and NIST SP 800-53 r4.
For example, NIST maps PR-PT-1 for audit/log records to ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, and A.12.7.1, and to the entire NIST SP 800-53 r4 AU family. The HITRUST CSF is mapped as follows:
It’s clear multiple requirements that provide additional specificity are required to satisfy the objectives provided by the NIST CsF Subcategories. And for a healthcare entity to select a reasonable and appropriate set of administrative, physical and technical safeguards to provide for the adequate protection of ePHI, it must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” it holds, as required by HIPAA § 164.308(a)(ii)(A). To learn more about how the HITRUST risk management framework (RMF) satisfies this requirement, refer to the guide on Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.
As mentioned in a previous FAQ, HITRUST and the Healthcare and Public Health (HPH) Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) recognized the need for additional guidance to sector organizations on how to properly implement the NIST CsF and established the development of such guidance as one of four core tasks for the Joint (SCC/GCC) HPH Cybersecurity WG. The result is the Healthcare Sector Cybersecurity Framework Implementation Guide, the 508-compliant version of which is available as one of seven sector-specific guides on the US-CERT Cybersecurity Framework Webpage. For more information on the Critical Infrastructure Protection (CIP) initiative under which the healthcare implementation guidance was developed, refer to the Websites on CIP Partnerships and Information Sharing, Critical Infrastructure Sector Partnerships, and HPH: Council Charters and Membership.
And to understand why the HITRUST RMF, which consists of the HITRUST CSF and CSF Assurance Program and supporting methods and tools, is the most widely used approach in healthcare, refer to the joint presentation by the Health Care Services Corporation and Children’s Health Dallas CIOs, Selecting a Healthcare Information Security Risk Management Framework in a Cyber World.