The National Institute of Standards and Technology (NIST) released updated system-planning guidance that broadens federal cybersecurity documentation to cover security, privacy, and cybersecurity supply chain risk management (C-SCRM).
The revision – titled Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems – consolidates information on how organizations develop and maintain key risk management documentation for information systems.
NIST said system plans consolidate information about assets, individuals, authorization boundaries, interconnected systems, data flows, responsible personnel, internal and external environments, and risk-management controls.
Additionally, the updated elements are correlated with the steps and tasks of the NIST Risk Management Framework to provide a streamlined approach to system plan development.
The update also points agencies and contractors toward machine-readable data formats to support automated data collection using widely deployed platforms including governance, risk, and compliance (GRC) tools; security orchestration, automation, and response (SOAR) platforms; and security information and event management (SIEM) systems.
NIST said dashboards enabled by those platforms can support “near real time risk management decision-making and reduce the reliance on static, point-in-time documentation.”
NIST also included “a suite of supplemental materials” alongside the update:
- System Security Plan Outline Example: Structured guidance for documenting security requirements and controls
- System Privacy Plan Outline Example: Structured guidance for documenting privacy requirements and controls
- C-SCRM Plan Outline Example: Based on the C-SCRM plan template in SP 800-161r1
- System Plan Roles and Responsibilities: Updated guidance on identifying key personnel roles in system plan development and maintenance
According to NIST, these templates will be especially helpful for organizations that continue to rely on document-based system plans.