 |
WHAT IS NIST?
Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NISTs EO 13636 role. Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
NIST Cyberframework Homepage NIST FRAMEWORK TEMPLATE 1.1
LISTED Below ...
are the current up to date Healing Hearts policies and steps taken to attempt to get to the NIST FRAMEWORK.
IDENTIFY(ID)
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organizations risk strategy.
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
Software Inventory
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
Link
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
Link
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Link
Business Environment (ID.BE): The organizations mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
ID.BE-1: The organizations role in the supply chain is identified and communicated
Link
ID.BE-2: The organizations place in critical infrastructure and its industry sector is identified and communicated
Link
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
Link
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
Link
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
Link