Share this article on:
The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published.
NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made.
The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that organizations often fail to communicate issues effectively with the C-suite.
One of the main aims of the update is to provide closer linkage and communication risk management processes at the system and organization level with those of the C-Suite. More C-suite involvement will help to ensure that the Risk Management Framework is more effective when it is implemented.
The update will help to institutionalize critical enterprise-wide risk management preparatory activities enabling more cost-effective execution of the Framework at the system and operational level. NIST has also unified security and privacy concepts into the Framework to help organizations develop a more integrated approach to risk management.
The discussion draft of the updated NIST Risk Management Framework is open for comments until November 3, 2017. NIST said, “This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0.” Public comments will accepted when the public draft of the guidance is issued in November 2017.
NIST hopes to release the final draft of the updated Risk Management Framework for Information Systems and Organizations in January 2018, and the final publication in March 2018.