NIST updates outline first-ever cybersecurity measurements

NIST's updated cybersecurity framework includes new metrics to quantify the impact of cybersecurity efforts.

For the first time, organizations seeking an objective way to quantify cybersecurity performance can use updated federal guidelines aimed at measuring the impact of cybersecurity interventions and business objectives.

The updated draft guidelines (PDF) released this week by the National Institute for Standards and Technology (NIST) include specific updates regarding cybersecurity metrics, considerations supply chain risk management and common terminology used to communicate with outside partners and vendors.

The NIST Cybersecurity Framework, originally released in 2014, has provided a baseline for cyber defense. The agency plans to accept any additional comments on the updated guidance through April 10.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The draft updates incorporate comments NIST solicited over the past year. During that time, both the College of Healthcare Information Management Executives (CHIME) and the Health Information Management and Systems Society (HIMSS) have submitted critiques calling for NIST to develop metrics to measure progress within the framework and a standardized approach to communicate with outside organizations.  

RELATED: HHS OCR maps HIPAA Security Rule to NIST Cybersecurity Framework

The guideline laid out four metrics for cybersecurity measurement covering risk management behaviors along with activities and achievements tied to specific outcomes.  

“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework, in an announcement. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

NIST also expanded its guidelines for cyber supply chain risk management, including recommendations for communicating cybersecurity requirements with vendors and partners, creating contracts and verifying those requirements are met.

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine health research database project has enrolled 230,000 participants.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.