Cautionary Note

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

This publication is not intended to replace or subsume other cybersecurity-related activities, programs, processes, or approaches that Health Care and Public Health (HPH) Sector organizations have implemented or intend to implement, including any cybersecurity activities associated with legislation, regulations, policies, programmatic initiatives, or mission and business requirements. Additionally, this publication uses the words “adopt," “use," and “implement" interchangeably. These words are not intended to imply compliance or mandatory requirements.

This document was developed in part based on feedback provided by public and private sector organizations under the Critical Infrastructure Partnership Advisory Council (CIPAC)^[1] framework. The U.S. Government has made no representation with respect to the sufficiency of this document in complying with any Federal requirement, nor does the U.S. Government endorse the use of this document or any products or services referenced within, over the use of any other products, services, frameworks, tools, or standards. This document is also considered a “living" document and subject to update, as needed, to best serve the health care industry.

¹ Cybersecurity & Infrastructure Security Agency, CISA (2021a). Critical Infrastructure Partnership Advisory Council.