ControlMap

NIST CSF 2.0 vs HIPAA

Side-by-side comparison of NIST Cybersecurity Framework 2.0 and HIPAA Security Rule across 49 cybersecurity controls.

46
Shared
3
NIST CSF 2.0 Only
0
HIPAA Only
0
Neither

Covered by Both (46 controls)

Controls recognized by both NIST CSF 2.0 and HIPAA.

Gp Governance Policy
GV.OC-01, GV.PO-01 | §164.308(a)(1)(i), §164.316(a)
 Aw Awareness & Training
PR.AT-01, PR.AT-02 | §164.308(a)(5)(i), §164.308(a)(5)(ii)(A)
 Rm Risk Management
GV.RM-01, GV.RM-02 | §164.308(a)(1)(ii)(A), §164.308(a)(1)(ii)(B)
 Sc Supply Chain Risk
GV.SC-01, GV.SC-03 | §164.308(b)(1), §164.314(a)(1)
 Rr Roles & Responsibilities
GV.RR-01 | §164.308(a)(2), §164.308(a)(3)(i)
 Cm Compliance
GV.OC-02 | §164.308(a)(8), §164.316(b)(1)
 Am Asset Management
ID.AM-01, ID.AM-02 | §164.310(d)(1), §164.310(d)(2)(iii)
 Ra Risk Assessment
ID.RA-01, ID.RA-02 | §164.308(a)(1)(ii)(A)
 Be Business Environment
ID.BE-01 | §164.308(a)(1)(i)
 Da Data Classification
ID.AM-05 | §164.312(a)(1)
 Vn Vulnerability Mgmt
ID.RA-01 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Ac Access Control
PR.AA-01, PR.AA-03 | §164.312(a)(1), §164.312(a)(2)(i)
 Mf Multi-Factor Auth
PR.AA-03 | §164.312(d)
 En Encryption
PR.DS-01, PR.DS-02 | §164.312(a)(2)(iv), §164.312(e)(2)(ii)
 Dp Data Protection
PR.DS-01, PR.DS-02, PR.DS-10 | §164.312(a)(2)(iv), §164.312(c)(1), §164.312(e)(1)
 Bk Backup & Recovery
PR.DS-11 | §164.308(a)(7)(ii)(A), §164.310(d)(2)(iv)
 Pa Privileged Access
PR.AA-05 | §164.312(a)(1), §164.308(a)(3)(ii)(B)
 Fw Firewall / Net Seg
PR.IR-01 | §164.312(e)(1)
 Ep Endpoint Protection
PR.IR-01 | §164.308(a)(5)(ii)(B), §164.310(d)(1)
 Pm Patch Management
PR.PS-01 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Cf Secure Config
PR.PS-01 | §164.310(d)(1), §164.312(a)(1)
 Ml Email Security
PR.IR-01 | §164.308(a)(5)(ii)(A), §164.312(e)(1)
 Ws Web Security
PR.IR-01 | §164.312(e)(1)
 Zt Zero Trust
PR.AA-01, PR.AA-03, PR.IR-01 | §164.312(a)(1)
 Mb Mobile Security
PR.PS-01 | §164.310(d)(1), §164.312(a)(1)
 Cl Cloud Security
PR.PS-01, PR.DS-01 | §164.308(b)(1), §164.314(a)(1)
 Wf WAF
PR.IR-01 | §164.312(e)(1)
 Dl DLP
PR.DS-10 | §164.312(a)(1), §164.312(e)(1)
 Sm Cont. Monitoring
DE.CM-01, DE.CM-03 | §164.312(b)
 Lg Logging & Audit
DE.AE-02, DE.AE-03 | §164.312(b), §164.308(a)(1)(ii)(D)
 Id Intrusion Detection
DE.CM-01 | §164.308(a)(1)(ii)(D), §164.312(b)
 An Anomaly Detection
DE.AE-01, DE.AE-04 | §164.308(a)(1)(ii)(D)
 Sg SIEM / SOC
DE.AE-02, DE.AE-06 | §164.308(a)(1)(ii)(D), §164.312(b)
 Ir Incident Response
RS.MA-01, RS.MA-02 | §164.308(a)(6)(i), §164.308(a)(6)(ii)
 Fn Forensics
RS.AN-03 | §164.308(a)(6)(ii)
 Co Communication
RS.CO-02, RS.CO-03 | §164.308(a)(6)(ii), §164.404(a)(1)
 Mt Mitigation
RS.MI-01, RS.MI-02 | §164.308(a)(6)(ii)
 Rp Reporting
RS.CO-02 | §164.308(a)(6)(ii), §164.404(a)(1), §164.408(a)
 Rc Recovery Planning
RC.RP-01, RC.RP-02 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(B)
 Bc Business Continuity
RC.RP-03, RC.RP-04 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(C)
 Ll Lessons Learned
RC.RP-06 | §164.308(a)(8)
 Cr Comms & Restore
RC.CO-03, RC.CO-04 | §164.308(a)(7)(ii)(C)
 Dr Disaster Recovery
RC.RP-01 | §164.308(a)(7)(ii)(A), §164.308(a)(7)(ii)(B)
 Ap API Security
PR.IR-01, PR.AA-03 | §164.312(a)(1), §164.312(e)(1)
 It Insider Threat
DE.CM-03, DE.AE-01 | §164.308(a)(3)(ii)(A), §164.308(a)(4)
 Vr Vendor Risk Mgmt
GV.SC-01, GV.SC-03, GV.SC-06 | §164.308(b)(1), §164.314(a)(1), §164.314(a)(2)(i)

Only in NIST CSF 2.0 (3 controls)

Controls covered by NIST CSF 2.0 but not HIPAA. Organizations using HIPAA should consider supplementing with these.

Ti Threat Intelligence
DE.AE-07
 Sd Secure Development
PR.PS-06
 Ds DNS Security
PR.IR-01

Summary: NIST CSF 2.0 vs HIPAA

NIST Cybersecurity Framework 2.0 and HIPAA Security Rule share 46 controls in common out of 49 total. NIST CSF 2.0 uniquely covers 3 controls that HIPAA does not, including Threat Intelligence, Secure Development, DNS Security. HIPAA uniquely covers 0 controls that NIST CSF 2.0 does not. Together, these two frameworks cover all tracked controls. For comprehensive cybersecurity coverage, organizations often adopt both frameworks or supplement with other frameworks.

Other Comparisons

NIST CSF 2.0 vs ISO 27001NIST CSF 2.0 vs CIS v8NIST CSF 2.0 vs SOC 2NIST CSF 2.0 vs PCI DSSNIST CSF 2.0 vs CMMCNIST CSF 2.0 vs 800-53NIST CSF 2.0 vs GDPRISO 27001 vs CIS v8ISO 27001 vs SOC 2ISO 27001 vs PCI DSSISO 27001 vs CMMCISO 27001 vs 800-53ISO 27001 vs HIPAAISO 27001 vs GDPRCIS v8 vs SOC 2CIS v8 vs PCI DSSCIS v8 vs CMMCCIS v8 vs 800-53CIS v8 vs HIPAACIS v8 vs GDPRSOC 2 vs PCI DSSSOC 2 vs CMMCSOC 2 vs 800-53SOC 2 vs HIPAASOC 2 vs GDPRPCI DSS vs CMMCPCI DSS vs 800-53PCI DSS vs HIPAAPCI DSS vs GDPRCMMC vs 800-53CMMC vs HIPAACMMC vs GDPR800-53 vs HIPAA800-53 vs GDPRHIPAA vs GDPR
View Interactive Dashboard