Risk Management Framework Updated by NIST

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0). RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security issues involved in IT risk management.

One major modification in the updated RMF is a ‘Prepare’ stage. This extra step entails assigning duties to particular persons, implementing enterprise-wide privacy and security controls, removing unnecessary functions, publishing common controls, and ensuring efficient communication between the board and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to make security and privacy risk management procedures more efficient,and cost effective.

RMF 2.0 demands the maximum usage of automation in implementing the framework guidelines to enable continuous evaluation and tracking of privacy and security controls, and the preparation of authorization packages to aid and speed up decision making.

NIST specified 7 primary goals for the updated RMF:

  • To accomplish closer collaboration and communication between the risk management procedures at the board level and the people, procedures, and activities at the system/operational level.
  • To standardize critical risk management preparatory procedures at all risk management levels.
  • To show how the NIST Cybersecurity Framework is aligned with the RMF.
  • To incorporate privacy risk management procedures into the RMF
  • Promotion of the development of safe software and systems by aligning life cycle-based systems engineering processes.
  • To merge security-linked, supply chain risk management (SCRM) ideas into the RMF to deal with untrustworthy vendors, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development strategies in the SDLC.
  • To provide for an organization-created control selection strategy to enhance the traditional baseline control selection method and support the usage of the NIST consolidated control list (SP 800-53, Revision 5).

The Office of Management and Budget (OMB) calls for all states and agencies to adhere to the RMF 2.0 to manage security and privacy risks. RMF 2.0 enables them to take care of privacy and security risks in a single framework.