NIST Issues an Updated Cybersecurity Risk Management Framework

Published: October 26, 2017

CybersecurityPolicy and Legislation

The draft updated Risk Management Framework (RMF) addresses requirements in the Trump Administration’s Cyber Executive Order.

Recently, the National Institute of Standards and Technology (NIST) released a draft update of their Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations. This update in response to provisions in May’s White House Cybersecurity Executive Order (EO) and the related Office of Management and Budget (OMB) implementation guidance to federal agencies for NIST to develop the next-generation Risk Management Framework (RMF) for systems and organizations.

Update Objectives

There are four major objectives that NIST outlined for this update:

  • Integrate RM governance into enterprise operations – NIST wants to provide closer ties between RM activities at an organization’s C-level and those at the system and operational level.
  • Build a federal use case – Demonstrate how the Cybersecurity Framework can be implemented using the NIST risk management processes.
  • Integrate privacy and RM – Provide an integration of privacy concepts into the RMF and support the use of their security and privacy control catalog in their related guidance policy.
  • Institutionalize RM – Institutionalize critical enterprise-wide RM preparatory activities to enable streamlined execution of the RMF at the system and operational level.

What’s New?

NIST notes that this last item on institutionalizing an organization’s preparation step is one of the key changes to the RMF, “incorporated to achieve more effective, efficient, and cost-effective risk management processes.”

They provide the following objectives for institutionalizing organizational preparation:

  • Better communication – Between senior leaders at the enterprise levels and system owners regarding the implementation of security and privacy controls within the organization’s risk tolerance.
  • Common controls – By development of organization-wide security and privacy controls to reduce the workload and cost to system owners.
  • Reduce complexity – By consolidating, standardizing, and optimizing systems, applications, and services through enterprise architecture.
  • Prioritization – By focusing on high-value assets and high-impact systems that require increased levels of protection and moving lower-impact systems to the cloud or shared services.

NIST is not yet soliciting public comments for this discussion draft, but simply issued it to promote discussion on the new organizational preparation step and the other elements introduced in RMF 2.0. Public comments will be accepted in November after NIST publishes an initial public draft. A final draft is planned for January 2018 with final publication slated for March.