The National Institute of Standards and Technology has finally unveiled the long-awaited cybersecurity framework that the Whitehouse has been pushing for. This framework provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, healthcare, financial services and transportation.
KnowBe4's Director or Security Research Brian Jack commented: "While the idea of the framework is good, there are already established frameworks that follow similar guidelines. This new set of requirements is actually not much more than a subset of existing requirements."
Jack continued: "Let's take a look at the NIST SP-80053 as the common set of requirements and the mappings provided in NIST SP800-66, which is the 'Implementing HIPAA Security Rule' and compare to new CyberSecurity Framework (CSF), you will notice that if you implement HIPAA using 800-66 you will have 52% of the CSF requirements covered, and if you implement CSF you will have 86% of the HIPAA requirements covered."
KnowBe4's conclusion about the new CSF is that there is already a lot of 'general' overlap between most all best practices and standards. The new CSF will not change much since it is just considered voluntary, we think the organizations that take compliance and security seriously are already meeting the requirements of the CSF. The organizations that don't have well formed compliance and security processes will not dedicate time and money to an effort that is voluntary. More time and effort should be spent on changing the mindset of security and compliance rather than spending time coming up with new frameworks or requirements that are just subsets of existing frameworks or requirements.