HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Second Draft of the Revised NIST Cybersecurity Framework Published

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions.

Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries.

The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices.

Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve usability of the Framework. Those comments were taken on board and incorporated in the first revised draft of the Framework which was published in January 2017. The latest draft includes several refinements that take into account feedback received on the first draft of the revised Framework.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Several changes have been made in version 1.1 of the NIST CSF to meet the requirements of the Cybersecurity Enhancement Act of 2014, which led to the creation of the NIST CSF. The first version of the NIST CSF failed to address all of the requirements, although the latest update brings the NIST CSF closer to meeting all of its initial goals.

The latest version of the Framework clarifies some of the language relating to cybersecurity measurement, further guidance is included on improving supply chain security, and changes have been made to incorporate mitigating risk of IoT devices and operational technology.

NIST has also issued an update to its Roadmap for Improving Critical Infrastructure Security which details several topics that will be considered for upcoming revisions of the Framework and details of future planned activities.

Adoption of the Framework is voluntary for most organizations, which can choose an appropriate implementation tier to suit their cybersecurity risk management practices. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made adoption of the Framework mandatory for all federal agencies.

Comments on the second draft of the revised NIST Cybersecurity Framework are being accepted until January 19, 2018. The final version of version 1.1 of the Cybersecurity Framework is expected to be released in Spring 2018.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.