NIST Releases Final Version of Updated Risk Management Framework

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0).

RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management.

One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”

RMF 2.0 requires maximum use of automation in executing the framework rules to allow continuous assessment and monitoring of privacy and security controls, and the preparation of authorization packages for timely decision making.

NIST has listed seven main objectives for the updated RMF. By achieving some or all of the objectives listed below, execution of the RMF will be simplified, organizations will be able to employ innovative approaches for risk management, and will increase the level of automation for risk management-related tasks.

The seven objectives are:

  • To achieve closer linkage and communication between the risk management processes and activities at the C-suite and the individuals, processes, and activities at the system and operational level of the organization.
  • To institutionalize critical risk management preparatory activities at all risk management levels.
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using current NIST risk management processes.
  • To integrate privacy risk management processes into the RMF
  • To promote the development of secure software and systems through the alignment of life cycle-based systems engineering processes.
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC.
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the NIST consolidated control catalog (SP 800-53, Revision 5).

The Office of Management and Budget (OMB) requires all states and agencies to follow RMF 2.0 to manage security and privacy risks. RMF 2.0 allows them to manage privacy and security risk in a single, unified framework.

According to NIST fellow, Ron Ross, “[RMF 2.0] ensures the term compliance means real cybersecurity and privacy risk management – not just satisfying a static set of controls in a checklist.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.