On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.
The Cybersecurity Framework aims to focus on industries vital to national and economic security, including energy, banking, communications, and defense, and provides a universal structure that can be tailored to varied methods of cybersecurity by compiling effective standards, guidelines, and practices into one framework.
The new version includes updates on:
- authentication and identity;
- self-assessing cybersecurity risk;
- managing cybersecurity within the supply chain; and
- vulnerability disclosure.
The Cybersecurity Framework is voluntarily adoptable by large and small entities across all industries, and it can assist organizations address privacy issues related to customers, employees, patients, and other parties.
The Cybersecurity Framework is particularly beneficial to the healthcare industry. Many healthcare entities, such as research institutions, have successfully implemented the standards set forth in the Cybersecurity Framework to help them comply with HIPAA. While the HIPAA Security Rule does not require use of the Cybersecurity Framework, many covered entities and business associates have adopted the Cybersecurity Framework to enhance their cybersecurity programs and implement appropriate security measures to protect ePHI.
Continued engagement and collaboration with stakeholders will progress as the Cybersecurity Framework further develops. It “will need to evolve as threats, technologies and industries evolve,” said Matt Barrett, program manager for the Cybersecurity Framework. To further assist companies, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which will elaborate on key areas of development, alignment, and collaboration. Additionally, NIST will host a webcast explaining the Cybersecurity Framework on April 27, 2018, at 1 p.m. Eastern time, and a Cybersecurity Risk Management Conference on November 6-8, 2018, in Baltimore, Maryland. Detailed information on the conference will soon be available on the NIST website.
Special thanks to Robert Kantrowitz* for his assistance in drafting this post.
*Law Clerk–Pending admission to the New York Bar.