The figure below depicts how specific types of Informative References relate to the NIST Cybersecurity Framework Core and can subsequently be used to help specify the controls needed to help organizations achieve the cybersecurity outcomes articulated by the NIST Subcategories.
Figure 26. Using the HITRUST CSF to Support NIST Cybersecurity Framework Implementation
The HITRUST CSF is a recognized NIST Cybersecurity Framework Core Informative Reference167 and serves as the foundation for the first Healthcare and Public Health (HPH) secto168 guide on implementation of the NIST Cybersecurity Framework,169 which was first developed and published in 2016 by the Critical Infrastructure Protection Advisory Council (CIPAC170) HPH Sector Coordinating Council (SCC171) Joint HPH Cybersecurity Working Group (WG) Risk Management Sub-WG.
For more information on how to implement the NIST Cybersecurity Framework, see the current version of the CIPAC guidance [172] mentioned above or the latest HITRUST-specific guidance on how to leverage the NIST Cybersecurity Framework released in early 2024.173
167 NIST (2022e). National Online Informative References Program: Informative Reference Catalog.
168 Public Health Emergency, PHE (2022). Preparedness: Planning: Critical Infrastructure Protection: [HPH] Sector.
169 Joint HPH Cybersecurity WG (2016, May). Healthcare Sector Cybersecurity Framework Implementation Guide.
170 Cybersecurity & Infrastructure Agency, CISA (2022a). Critical Infrastructure Partnership Advisory Council.
171 CISA (2022b). Infrastructure Security: Critical Infrastructure Sector Partnerships: Sector Coordinating Councils.
172 HPH Sector Cybersecurity Working Group (2023, Mar). HPH Sector Cybersecurity Framework Implementation Guide Version 2. Wash. DC: Author.
173 Cline, B. (2024). The HITRUST Approach to Cyber Resilience: Leveraging HITRUST to Implement the NIST Cybersecurity Framework, Version 2.0. Frisco, TX: HITRUST.