Global Edition
Privacy & Security

NIST updates Cybersecurity Framework with Version 2.0

Billed as the first major overhaul in a decade for the National Institute of Standards and Technology's foundational risk management approach, CSF 2.0 has new resources to help organizations better position themselves to mitigate cyber threats.
By Mike Miliard
February 27, 2024
09:59 PM

Photo: zf L/Getty Images

The National Institute of Standards and Technology this week announced a significant update to its Cybersecurity Framework, which has been helping healthcare and other organizations of all shapes and sizes manage and mitigate increasingly severe cyber threats for the past 10 years.

WHY IT MATTERS
NIST is touting the new CSF 2.0 as the first major update to the framework since it was first published and disseminated a decade ago.

The updated edition, which was developed over years from a wide array of stakeholder comments received on the draft published this past August, is meant for a wider audience than the IT and infosec leaders in critical infrastructure the first version was initially designed for in 2014.

As ransomware attacks and other cybersecurity threats have intensified and proliferated, CSF 2.0 is now aimed at "all industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations – regardless of their degree of cybersecurity sophistication," according to the agency.

NIST has broadened CSF's guidance and put together new resources to help users put CSF 2.0 into action and better align with the recent National Cybersecurity Strategy.

The new framework puts a focus on governance, according to NIST, emphasizing that "cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation."

It offers resources to help organizations new to the framework learn from others who have found success with it, and gives a series of quick-start guides and other examples based around distinct users and use cases. And NIST's new CSF 2.0 Reference Tool helps IT and security leaders browse, search and export data and details from the guidance in formats that are readable by both humans machines.

Its Cybersecurity and Privacy Reference Tool, meanwhile, contains an "interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources.

The tool offers tips for communicating these ideas to both technical experts and the C-suite – a longtime challenge for cybersecurity pros at all levels – so all stakeholders can stay coordinated across an organization.

THE LARGER TREND
NIST has been continually seeking insights into how NIST is working for critical infrastructure organizations since it was first published, working from the early days to incorporate that feedback into improving the framework.

Over the years there have been other efforts to keep its measures and guidance fresh. 

NIST first released CSF in 2014 in response to an executive order from President Barack Obama, to help organizations "understand, reduce and communicate about cybersecurity risk." It was initially built around six key functions: Identify, protect, detect, respond and recover.

Now, CSF 2.0 adds a seventh: Govern. Altogether, they're meant to offer organizations a "comprehensive view of the life cycle for managing cybersecurity risk," according to NIST.

Healthcare has had a mixed track record putting the CSF to work. Several years ago, one study showed fewer than half of health systems conforming with the framework's controls.

But just this week a new report from KLAS and the American Hospital Association showed 71% of healthcare orgs deploying NIST CSF as a trusted cybersecurity framework, with 57% of respondents citing it as the primary one that they use. And those who adopt it have been known to expect lower year-over-year increases to the premiums on their cybersecurity policies, the report shows.

ON THE RECORD
"The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats," said NIST Director Laurie E. Locascio in a statement. "CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve."

"Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad," added Kevin Stine, chief of NIST's Applied Cybersecurity Division.

"As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others," said Stine. "That will help organizations, sectors and even entire nations better understand and manage their cybersecurity risk."

 

 

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.

Topics: 
Cloud Computing, Government & Policy, Network Infrastructure, Privacy & Security, Quality and Safety

More regional news

HIMSSCast logo

HIMSSCast: Caregiver input needed for allocation of investment dollars

By
Bill Siwicki
November 15, 2024
HHS Building

Trump picks RFK Jr. to lead HHS

By
Susan Morse
November 15, 2024
Sign outside FDA office

Lawmakers ask CDRH to revisit its CDS guidance

By
Andrea Fox
November 15, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Vendor Notebook: New cybersecurity and EHR performance upgrades 
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
Meridian, Mae partner to boost maternal outcomes, lower disparities

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
Dr. Keisuke Nakagawa at UC Davis Health_Global Health Equity Week 2024
How artificial intelligence is changing the equation for SDOH integration
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health

More Stories

HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Healthcare worker looking at medical record on tablet with patient in background
Protect your IoMT devices against evolving cyberattacks
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'
Avihai Sodri of Antidote Health on telemedicine
How virtual-first can improve outcomes and make care more affordable