Informing Existing Sector Efforts

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

This Framework Guidance was developed to be intrinsically backwards compatible, meaning it can be used to enhance the success of existing sector-specific programs and inform sector-level goals and guidelines. The approaches below can be used to increase knowledge and enhance cybersecurity practices; the Framework can make them more effective. 

• Critical Infrastructure Cyber Community (C³) Voluntary Program:^[64]  The Critical Infrastructure Cyber Community (C³) Voluntary Program was launched in February 2014 in support of Executive Order 13636, which called on the Department of Homeland Security to help organizations use and understand the NIST Cybersecurity Framework. Although no longer active, the US-CERT makes resources related to the former C3 Voluntary Program and the NIST Cybersecurity Framework available on its website.^[65] 
• HPH Sector-Specific Plan:^[66]  The release of the 2016 HPH Sector-Specific Plan (SSP) reflects the maturation of the HPH Sector public-private partnership, and the progress of the sector programs first outlined in the 2007 and 2010 Sector-Specific Plans (SSPs). Changes from previous SSPs include a streamlined and updated set of goals and objectives and an increased emphasis on priorities such as information sharing and emergency response. The 2016 SSP represents a continued collaborative effort among the private sector; Federal, State, local, tribal, and territorial governments; and nongovernmental organizations to develop specific membership actions over the coming years required to reduce critical infrastructure risk and enhance Sector resilience.
  
• NISTIR 8268.^[67]  The NIST Interagency Report is intended to help improve communications (including risk information sharing) between and among cybersecurity professionals, high-level executives, and corporate officers at multiple levels. The goal is to assist personnel in these enterprises and their subordinate organizations as well as systems owners to better identify, assess, and manage cybersecurity risks in the context of their broader mission and business objectives. This document will help cybersecurity professionals understand what executives and corporate officers need to carry out ERM. This includes, but is not limited to, what data to collect, what analyses to perform, and how to consolidate and condition this discipline-specific risk information so that it provides useful inputs for ERM programs.
  
• NIST SP 800-63-3.^[68]  These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks (but may be used by other organizations, e.g., for e-prescription of medication). They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.
  

⁶⁴ US-CERT (2014). DHS Announces Critical Infrastructure Cyber Community [C3] Voluntary Program.

⁶⁵ US-CERT (2020b). Resources.

⁶⁶ HHS (2016, May). Health Care and Public​ Health Sector-Specific Plan. Washington, DC: Author. 

⁶⁷ Stine, K., Quinn, Stephen, Witte, G., and Gardner, R. (2020, Oct). 

⁶⁸ Grassi, P., Garcia, M., and Fenton, J. (2017, Jun). Digital Identity Guidelines (NIST SP 800-63-3). Gaithersburg, MD: NIST.