The NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework) complements rather than replaces an organization’s existing cybersecurity program by providing a common language and mechanism for organizations to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improving the management of risk
- Assess progress toward the target state
- Foster communications among internal and external stakeholders
The NIST Cybersecurity Framework also provides specific cybersecurity outcomes—essentially control objectives—that organizations should strive to achieve as well as examples of specific controls from other, lower-level and generally more prescriptive frameworks like the HITRUST CSF, which NIST refers to as ‘Informative References.’
How the HITRUST CSF and HITRUST Assurance Program Supports NIST Cybersecurity Framework Implementation
HITRUST Informative Reference
In late 2019, NIST began working with members of the NIST Cybersecurity Framework community to create and maintain a more comprehensive Online Informative Reference (OLIR) Catalog to supplement the limited number of References provided in the NIST Cybersecurity Framework document. The Catalog’s Informative References are developed by submitting parties according to NIST Interagency Report (IR) 8278A, National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers, and are vetted by NIST for correctness. NIST works closely with submitters regarding any necessary corrections to these Informative References and hosts links to both public draft and final versions.
HITRUST was one of a select few organizations to participate in the initial 2019 pilot of the OLIR Catalog with its v9.2 release of the HITRUST CSF and continues to develop and maintain its OLIR Catalog mappings for new releases of the framework. Links to current and draft versions of the HITRUST CSF – NIST Cybersecurity Framework OLIR Catalog mappings—the HITRUST Informative Reference—are provided below.