Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework is voluntary, and is based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure including the CCS CSCCOBITISO/IEC 27001:2013, and NIST SP 800-53 Rev. 4. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity management communications.

Guidance provided by the CSF is voluntary; no organization is required to use it. However, in many cases your customers may require, or at least request that you do. The Health and Human Services Office for Civil Rights (HHS OCR) has mapped HIPAA regulatory controls to the Framework.

According to NIST the Framework is made of three parts–Core, Implementation Tiers, and Profiles:

  • Core – “provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform.”
  • Implementation Tiers – “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4).”
  • Profiles – “enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.”

While many organizations adopt security controls and management frameworks to meet regulatory requirements such as HIPAA, a risk-based system is the best and most efficient way to approach cybersecurity. Adopting a controls-based approach to security is inefficient and expensive.