This week, Hacking Healthcare™ examines the recent publication of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) update from v1.1 to v2.0. We briefly examine what’s new, then dig into what the changes mean, the international impact this revision will likely have, and some considerations for Health-ISAC members looking to adopt or transition to v2.0.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF version:
TLP WHITE-6c036b80-Health-ISAC Weekly Blog -- Hacking Healthcare™
Text version:
Welcome back to Hacking Healthcare™.
NIST Publishes CSF 2.0
After roughly a decade since v1.0 was released, the NIST CSF has undergone a major revision that was finalized by NIST on Monday.[i], [ii] The new CSF v2.0 includes quality of life improvements, makes clarifications, and adds necessary substantive revisions to keep the framework relevant, while retaining the effective general structure with which users are familiar with.
What Is the NIST CSF
For those unfamiliar with the NIST CSF, it was originally published in 2014 as a framework to help organizations manage and reduce cyber risk. While it was specifically targeted at U.S. critical infrastructure sectors, it was ultimately designed to be agnostic to an entity’s size, sector, and organizational structure and was meant to be helpful and accessible to organizations regardless of where they are in their cybersecurity maturity journey. The NIST CSF has been extremely successful across industries and has had a global impact.
What’s New?
The largest differences can be found in the following areas:
- – Governance & Supply Chain Risk: CSF 2.0 introduces a new function, Govern, that is described as covering how an organization’s “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.[iii] The Govern function also sees an elevation of supply chain considerations with the inclusion of Cybersecurity Supply Chain Risk Management category and ten subcategories.
- – References & New Tools: One change that will be strikingly apparent is the removal of informative references from each subcategory. While the CSF v1.1 conveniently placed these references in the right-most column of the document, NIST has eliminated this in favor of hosting the references online at its new Cybersecurity and Privacy Reference Tool (CPRT).[iv] In general, there are a few new tools that CSF v2.0 will look to take more advantage of, including the CPRT and CSF 2.0 Implementation Examples.
Actions & Analysis
**Included with Health-ISAC Membership**
Upcoming International Hearings/Meetings
- EU
- – No relevant meetings at this time
- US
- – No relevant meetings at this time
- Rest of World
- – Health-ISAC APAC Summit (3/19 – 3/21)
[i] https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
[ii] https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[iii] https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[iv] https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/CSF_2_0_0/home
[vi] https://www.nist.gov/privacy-framework
[vii] https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
[viii] https://www.nist.gov/cyberframework/csf-11-archive/translations#csf-11
[ix] https://www.nist.gov/cyberframework/success-stories
[x] https://www.nist.gov/cyberframework/csf-11-international-resources
[xi] https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
[xii] https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
[xiii] https://www.nist.gov/cyberframework/csf-11-archive/translations#csf-20
[xiv] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf