- The National Institute of Standards and Technology (NIST) recently released an updated draft version of its Cybersecurity Framework, with incorporated comments from the December 2015 Request for Information and comments from Cybersecurity Framework Workshop 2016 attendees.
The Framework was first published in February 2014, under a presidential executive order direction.
The primary goals at the time were to have a voluntary framework that assists organizations better manage cybersecurity risk in the nation’s critical infrastructure.
Since then, numerous industries - including healthcare - have adopted the Framework to create stronger cybersecurity measures.
The updated version is meant “to refine and enhance the original document and to make it easier to use,” Matt Barrett, NIST’s program manager for the Cybersecurity Framework said in a statement.
“This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
Barrett added that the update also introduces the idea of cybersecurity measurement, which “will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”
The updated version incorporated vocabulary to assist organizations that want to use the Framework for cyber supply chain risk management.
“The practice of communicating and verifying cybersecurity requirements among stakeholders is one aspect of cyber supply chain risk management (SCRM),” the document reads. “A primary objective of cyber SCRM is to identify, assess and mitigate ‘products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.’”
The definition of Identity Management and Access Control was also updated, clarifying “authentication” and “authorization” definitions.
Under the Framework category for Identity Management and Access Control, NIST explains that “access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.”
When NIST called for comments in December, it requested feedback on the following:
- the variety of ways in which the NIST Cybersecurity Framework is being used to improve cybersecurity risk management,
- how best practices for using the NIST Cybersecurity Framework are being shared,
- the relative value of different parts of the NIST Cybersecurity Framework,
- the possible need for an update of the Framework, and
- options for the long-term management of the Framework.
The Healthcare Information and Management Systems Society (HIMSS) submitted comments on how the first version could be improved, and said that the Framework is most useful in that it helps organizations create or update their risk management programs.
“Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risk, the NIST Cybersecurity Framework could be useful in helping healthcare organizations improve their security posture,” HIMSS explained in its letter.
HIMSS did note though that HIMSS the healthcare sector in particular could greatly benefit if the NIST Cybersecurity Framework were to be made more industry-specific. For example, “the NIST Cybersecurity Framework could be more useful to healthcare stakeholders by providing metrics and other tools to measure progress with the Framework.”
There should also be a “common set of consensus-based, private sector-led guidelines, best practices, methodologies, procedures, and processes in relation to privacy and information security risk management,” HIMSS said in its comments, adding that this should also be consistent with Section 405 of CSA.
“Generally, the Framework could be used as a tool to develop a common set of voluntary, consensus-based, and private sector-led guidelines, best practices, methodologies, procedures, and processes, consistent with Section 405 of CSA,” HIMSS wrote. “In addition, the Framework could be greatly enhanced to benefit the healthcare sector.”
Individuals can submit comments on the updated version until April 10, 2017.