2018 cybersecurity projections are in!

TLP White

This week’s H-ISAC Hacking Healthcare:


Hot Links –

  1. New NIST Draft – NIST published[1] a “second draft of the proposed update” to its Cybersecurity Framework last week. Your comments are due to NIST by January 19, 2018.

A quick history lesson — the original Framework was released in February 2014. In winter 2015 and spring of 2016, NIST solicited feedback on the original version. In January of this year, they released a “first draft” of version 1.1.

This “second draft” incorporates comments submitted over the last year to that first draft.

The big changes are:

  • The inclusion of a robust new category in the “Identify” function around Supply Chain Risk Management.
  • New subcategories in Prevent-Access Control (PR.AC-6, 7) related to identity proofing and credential management, as well as device authentication.
  • A new subcategory (PR.DS-8) in Prevent-Data Security for verifying hardware integrity.
  • A new subcategory (PR.PT-5) in Prevent-Protective Technology that focuses on increasing system availability.
  • A new subcategory (RS.AN-5) in Respond-Analysis that addresses vulnerability disclosure and management.
  • A number of new reference standards, primarily from CIS and COBIT.
  • A refocusing of section 4 as “Self-Assessing Cybersecurity Risk with the Framework” which “better emphasize[s] how organizations might use the Framework to measure their risk”, as Mike Barret of NIST has put it.[2]

[1] https://www.nist.gov/cybersecurity-framework/cybersecurity-framework-draft-version-11

[2] https://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579?piddl_msgid=330189#msg_330189

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC.

Read full blog below: