The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the initial public draft of NIST Internal Report (NIST IR) 8467, Cybersecurity Framework Profile for Genomic Data.
The comment period is now open through July 17, 2023.
About the Report
The Cybersecurity Framework (CSF) Profile for Genomic Data provides voluntary guidance to help organizations manage, reduce, and communicate cybersecurity risks for systems, networks, and assets that process genomic data.
This publication is a follow-on effort to NIST Internal Report (NIST IR) 8432, The Cybersecurity of Genomic Data, and was developed in collaboration with stakeholders across industry, academia, and government.
This effort is informed by direction from Congress, the White House, and NIST’s existing expertise in genomics as well as cybersecurity.
The Profile identifies 12 genomic-related Mission Objectives and prioritizes relevant CSF Subcategories to help organizations protect genomic data throughout the data lifecycle.
Organizations processing genomic data can use this guidance to:
- Understand genomic data cybersecurity considerations
- Assess current organizational cybersecurity practices to identify gaps and areas of improvement for existing practices or infrastructure
- Develop individualized organizational Current (As-Is) and Target (To-Be) Profiles
- Prioritize investments in cybersecurity capabilities aligned to the CSF Subcategories identified as most important to support organizational Mission Objectives
- Understand the relationship between cybersecurity and privacy risk management
The CSF Profile for Genomic Data is intended to supplement, not replace, current cybersecurity standards, regulations, and industry guidelines.
Organizations should consider their unique obligations, operating environment, and Mission Objectives when prioritizing and implementing cybersecurity capabilities and controls.
While the focus of this CSF Profile is cybersecurity, whenever human genomic data is processed, privacy risk management considerations must also be addressed.
As a result, privacy is referenced in multiple places throughout the CSF Profile where cybersecurity and privacy risks overlap.
NIST plans to address the broader privacy landscape for genomic data by creating a Profile using the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).
Once created, the Privacy Framework Profile for Genomic Data should be used as a complementary tool to this CSF Profile.
Submit Comments
The public comment period closes at 11:59 PM ET on Monday, July 17, 2023. Email all draft comments to genomic_cybersecurity_nccoe@nist.gov.
Submit all feedback using the comment template found on our project page.
Join the Community of Interest
If you have expertise in genomic data and/or cybersecurity, consider joining the NCCoE Genomics Cybersecurity Community of Interest (COI) to receive the latest project news and announcements.
Email the team at genomic_cybersecurity_nccoe@nist.gov declaring your interest, or complete the sign-up form on our project page.
What is a Cybersecurity Framework (CSF) Profile?
A Cybersecurity Framework (CSF) Profile represents the outcomes based on business needs that an organization has selected from the NIST CSF Categories and Subcategories.
Profiles offer a prioritization of NIST CSF Categories and Subcategories based on the mission and operational considerations common to a specific group, such as the genomics sector.
Profiles serve as a useful starting point for identifying cybersecurity activities and outcomes that may be important to the selected group.
Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).
They also offer an organization a consistent way to discuss cybersecurity objectives across organizational roles—from senior leadership to technical implementors—using common terminology.
Individuals within the organization can use the Profile to prioritize the allocation of resources to cybersecurity improvements or to areas of particular concern.
