The National Institute of Standards and Technology (NIST) released the final version of its new risk management framework (RMF)–NIST SP 800-37 Revision 2–addressing both security and privacy concerns in IT risk management.
As Circular A-130 from the Office of Management and Budget (OMB) states, agencies are required to follow the revised RMF.
“RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a single, unified framework,” said Ron Ross, a fellow at NIST. “It ensures the term compliance means real cybersecurity and privacy risk management–not just satisfying a static set of controls in a checklist.”
The framework encourages collaboration on plans and assessments for security and privacy, making both key to the authorization decision.
“The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision,” the framework states.
One of the main changes highlighted by NIST is the addition of the Prepare step in the framework, which includes assigning key roles to individuals, publishing common controls available for inheritance, and continuously monitoring the effectiveness of controls. The agency noted that the Prepare step was added “to achieve more effective, efficient, and cost-effective security and privacy risk management processes.” Prepare becomes the new first step, followed by Categorize.
The update also calls for maximum use of automation in executing the RMF, calling the technology “particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches.”
The risk management framework lists seven objectives for the update:
- To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
- To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes … with the relevant tasks in the RMF;
- To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5