📰 NIST Releases CSF 2.0 | Tuesday Times | April 30th, 2024

josem.serrano
josem.serrano Member Posts: 69 admin
edited May 2 in General Community

What is Tuesday Times?

Tuesday Times is a weekly series where every Tuesday we will highlight a handful of recent cybersecurity-related news stories. We will provide brief summaries of these news stories and link the articles directly, should you want to read more!

Feel free to comment on any of the articles highlighted, or even share your own in the comments below!

NIST Releases CSF 2.0 | Tuesday Times | April 30th, 2024

NIST Releases Version 2.0 of Landmark Cybersecurity Framework

  • Our main story today is the oldest article highlighted in this post, however, since it is directly related to cybersecurity compliance and involves one of the most used frameworks, we'll let it slide this time!
  • The National Institute of Standards and Technology (NIST) has released the first major update to its Cybersecurity Framework (CSF) since 2014. A major change is that the original target audience has shifted from controllers and operators of critical infrastructure to all organizations.
  • The number of functions has also increased to six, with the introduction of the Govern function, and some of the categories and controls have also been updated or removed. The ease of implementation has also been improved by NIST releasing new resources like the CSF 2.0 Reference Tool, implementation examples, and quick start guides.

FTC Health Breach Notification Rule puts new provisions in place to protect users of health apps and devices

  • The Federal Trade Commission (FTC) updated the Health Breach Notification Rule (HBNR) to include health apps and other similar technologies that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
  • The update requires these companies to notify individuals, the FTC, and sometimes the media if there has been a breach of security involving personally identifiable health data. The Final Rule defines a breach of security as "an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.”
  • Please note that this does not include all of the changes to the HBNR, and if you are interested, we recommend you to read the Federal Register Notice for the complete story.

FCC Fines Largest Wireless Carriers for Sharing Location Data

  • On April 29th, 2024, the Federal Communications Commission (FCC) fined some of the US' largest wireless carriers for "illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure."
  • The fines equate to just under $200 million and include the following companies: AT&T, Verizon, and Sprint/T-Mobile (now merged). The FCC claims that these carriers "Sold Access to Location Data to Third Parties Without Customer Consent and Continued to Do So Without Reasonable Safeguards."
  • If you'd like to read the official news release from the FCC, please click here.