The figure below depicts how specific types of Informative References relate to the NIST Cybersecurity Framework Core and can subsequently be used to help specify the controls needed to help organizations achieve the cybersecurity outcomes articulated by the NIST Subcategories.
Figure 23. Using the HITRUST CSF to Support NIST Cybersecurity Framework Implementation
The HITRUST CSF is a recognized NIST Cybersecurity Framework Core Informative Reference163 and serves as the foundation for the first Healthcare and Public Health (HPH) secto164 guide on implementation of the NIST Cybersecurity Framework,165 which was first developed and published in 2016 by the Critical Infrastructure Protection Advisory Council (CIPAC166) HPH Sector Coordinating Council (SCC167) Joint HPH Cybersecurity Working Group (WG) Risk Management Sub-WG.
For more information on how to implement the NIST Cybersecurity Framework, users can leverage the CIPAC guidance mentioned above—as it applies just as well to non-healthcare organizations—or its update scheduled for release in late 2022. HITRUST Organizations can expect to use HITRUST-specific guidance on how to leverage the NIST Cybersecurity Framework by late 2023.168
163 NIST (2022e). National Online Informative References Program: Informative Reference Catalog.
164 Public Health Emergency, PHE (2022). Preparedness: Planning: Critical Infrastructure Protection: [HPH] Sector.
165 Joint HPH Cybersecurity WG (2016, May). Healthcare Sector Cybersecurity Framework Implementation Guide.
166 Cybersecurity & Infrastructure Agency, CISA (2022a). Critical Infrastructure Partnership Advisory Council.
167 CISA (2022b). Infrastructure Security: Critical Infrastructure Sector Partnerships: Sector Coordinating Councils.
168 Cline, B. (2023). The HITRUST Approach to NIST Cybersecurity Framework Implementation, Version 2.0. Frisco, TX: HITRUST.