NIST CSF Risk Assessment: Not Reaonable or Appropriate

February 12, 2019

NIST CSF Risk Assessment: Not Reasonable or Appropriate
As mentioned last week the possible answers to whether you meet the requirements of a NIST CSF Safeguard are: yes, yes, alternate method, no, and NRA (not reasonable or appropriate).
The acceptable reasons for claiming NRA status are: Cost, Organization Size, Complexity, or Alternate Solution.
In the Jumpstart program we have developed patterns of NRA for specific organizations, such as a small office practice, or a startup software company. We ask the company to confirm that these apply to them. If they agree we inactivate these NIST policies. They are no longer visible in the Jumpstart program but can be reactivated if needed in the future.
When we score the NIST CSF Risk Assessment these Safeguards are marked NRA. An NRA answer is scored the same as a Yes. For small organizations this can give them as much as a 30% Jumpstart on their NIST CSF Risk Assessment.
Initial HIPAA compliance can be achieved in a few days and maintained by accomplishing a few tasks per month.
The Jumpstart method is a cost effective, simple, and quick way to get HIPAA compliant and prove it with a NIST CSF Risk Assessment


Back to News