The National Institute of Standards and Technology this week announced a significant update to its Cybersecurity Framework, which has been helping healthcare and other organizations of all shapes and sizes manage and mitigate increasingly severe cyber threats for the past 10 years.
WHY IT MATTERS
NIST is touting the new CSF 2.0 as the first major update to the framework since it was first published and disseminated a decade ago.
The updated edition, which was developed over years from a wide array of stakeholder comments received on the draft published this past August, is meant for a wider audience than the IT and infosec leaders in critical infrastructure the first version was initially designed for in 2014.
As ransomware attacks and other cybersecurity threats have intensified and proliferated, CSF 2.0 is now aimed at “all industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations – regardless of their degree of cybersecurity sophistication,” according to the agency.
NIST has broadened CSF’s guidance and put together new resources to help users put CSF 2.0 into action and better align with the recent National Cybersecurity Strategy.
The new framework puts a focus on governance, according to NIST, emphasizing that “cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.”
It offers resources to help organizations new to the framework learn from others who have found success with it, and gives a series of quick-start guides and other examples based around distinct users and use cases. And NIST’s new CSF 2.0 Reference Tool helps IT and security leaders browse, search and export data and details from the guidance in formats that are readable by both humans machines.
Its Cybersecurity and Privacy Reference Tool, meanwhile, contains an “interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources.
The tool offers tips for communicating these ideas to both technical experts and the C-suite – a longtime challenge for cybersecurity pros at all levels – so all stakeholders can stay coordinated across an organization.
THE LARGER TREND
NIST has been continually seeking insights into how NIST is working for critical infrastructure organizations since it was first published, working from the early days to incorporate that feedback into improving the framework.
Over the years there have been other efforts to keep its measures and guidance fresh.
NIST first released CSF in 2014 in response to an executive order from President Barack Obama, to help organizations “understand, reduce and communicate about cybersecurity risk.” It was initially built around six key functions: Identify, protect, detect, respond and recover.
Now, CSF 2.0 adds a seventh: Govern. Altogether, they’re meant to offer organizations a “comprehensive view of the life cycle for managing cybersecurity risk,” according to NIST.
Healthcare has had a mixed track record putting the CSF to work. Several years ago, one study showed fewer than half of health systems conforming with the framework’s controls.
But just this week a new report from KLAS and the American Hospital Association showed 71% of healthcare orgs deploying NIST CSF as a trusted cybersecurity framework, with 57% of respondents citing it as the primary one that they use. And those who adopt it have been known to expect lower year-over-year increases to the premiums on their cybersecurity policies, the report shows.
ON THE RECORD
“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio in a statement. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” added Kevin Stine, chief of NIST’s Applied Cybersecurity Division.
“As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others,” said Stine. “That will help organizations, sectors and even entire nations better understand and manage their cybersecurity risk.”
Mike Miliard is executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Healthcare IT News – https://www.healthcareitnews.com/news/nist-updates-cybersecurity-framework-version-20