The HITRUST Approach to NIST CSF 2.0

The Internet continues to connect individuals, businesses, communities, and countries on shared platforms that enable scaled business solutions and international exchange. But this accelerating global interconnectivity also introduces risks. An attack on one organization, sector, or state can rapidly spill over to other sectors and regions, as happened during Russia’s 2017 “NotPetya” cyberattack on Ukraine, which spread across Europe, Asia, and the Americas, causing billions of dollars in damage. The potential cost of attacks like this will only grow as interdependencies increase. National Cybersecurity Strategy

It comes as no real surprise that the threat of cybers atacks on public and private sector organizations con􀆟nues to increase in both prevalence and sophistication. A trend that has been ongoing for decades, it is no longer a question of ‘if’ an organiza􀆟on will be atacked and suffer a breach but one of ‘when’ and ‘how bad.’ While this seems rather dire on its face, knowing one will be atacked and poten􀆟ally suffer a breach can also be empowering in that such certainty can help facilitate an organiza􀆟on’s change or shiti in the old paradigm28 of preventative cybersecurity to a new one of cyber resilience.

The U.S. government’s recent foray into the push for cyber resilience in the private sector nominally began with Presidential Policy Directive 21 – Cri􀆟cal Infrastructure Security and Resilience, Executive Order (EO) 13636 – Improving Cri􀆟cal Infrastructure Cybersecurity, and the Cybersecurity Enhancement Act of 2014 that formalized publica􀆟on of the voluntary cybersecurity guidance required under the EO, which is now widely known as the NIST Cybersecurity Framework.

However, “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, [the U.S. government is of the opinion that] the lack of mandatory requirements has resulted in inadequate and inconsistent [cybersecurity] outcomes.”

To address these issues, government intends to:

1. Use exis􀆟ng statutory authori􀆟es to issue new or updated cybersecurity regula􀆟ons,
2. Iden􀆟fy and close gaps in exis􀆟ng statutory authori􀆟es to regulate the private sector, and
3. Encourage state or independent regulators to use their authori􀆟es in “a deliberate and coordinated manner”35 to support these efforts.

Views: 0