NIST Publishes Final Version of Amended Risk Management Framework
The National Institute of Standards and Technology (NIST) has published the final version of its amended Risk Management Framework (RMF 2.0).
RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management.
One key amendment in the updated version of the RMF is the introduction of a ‘Prepare’ step. This extra step involves assigning responsibilities to specific people, allowing enterprise-wide privacy and security controls, eliminating unnecessary functions, releasing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was brought in to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”
RMF 2.0 requires maximum use of automation in implementing the framework rules to allow ongoing assessment and reviewing of privacy and security controls, and the preparation of authorization packages for timely decision making.
NIST has published seven main objectives for the updated RMF. By achieving some or all of the objectives listed below, execution of the RMF will be simplified, groups will be able to employ innovative approaches for risk management, and will increase the level of automation for risk management-related jobs.
The seven objectives are:
- To achieve better linkage and communication between the risk management processes and activities at the C-suite and the people, processes, and activities at the system and operational level of the group.
- To institutionalize critical risk management preparatory duties at all risk management levels.
- To show how the NIST Cybersecurity Framework can work with the RMF and implemented using current NIST risk management processes.
- To integrate privacy risk management tasks into the RMF
- To promote the development of secure software and systems via the alignment of life cycle-based systems engineering steps.
- To connect security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices in the SDLC.
- To make it possible for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the NIST consolidated control catalog (SP 800-53, Revision 5).
The Office of Management and Budget (OMB) obligates all states and agencies to follow RMF 2.0 to control security and privacy dangers. RMF 2.0 allows them to manage privacy and security risk in one, unified framework.