The National Institute of Standards and Technology (NIST) is working on developing a cybersecurity framework that ties standards, methodologies, procedures, and processes together with cyber risk policy, business and technological approaches. As it further develops the framework, it has put out a request for information (RFI) to better understand what user considerations need to be taken into account when building the framework.
NIST will work with the Secretary of Homeland Security, the National Security Agency, sector-specific agencies (such as healthcare organizations) and other interested agencies including the Office of Management and Budget (OMB), owners and operators of critical infrastructure and other stakeholders. Most importantly for many healthcare organizations, the framework will go through an open public review and comment process, including workshops and public input opportunities. Comments must be received by Monday, April 8, 2013.
Of course, not all industry security standard needs are created equal and NIST recognizes the need to develop sector-agnostic policies.
Given the diversity of sectors in critical infrastructure, the Framework development process is designed to initially identify cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential gaps (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through collaboration with industry and industry-led standards bodies.
In creating this framework, NIST will be working toward being able to: (i) Identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) Specify high-priority gaps for which new or revised standards are needed; and (iii) Collaboratively develop action plans by which these gaps can be addressed. It is contemplated that the development process will have requisite stages to allow for continuing engagement with the owners and operators of critical infrastructure, and other industry, academic, and government stakeholders.
The NIST cybersecurity framework is obviously a project that the healthcare industry should keep an eye on because plenty of organizations base some of their policies and procedures on NIST guidelines.