HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NIST Updates its Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published.

NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made.

The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that organizations often fail to communicate issues effectively with the C-suite.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the main aims of the update is to provide closer linkage and communication risk management processes at the system and organization level with those of the C-Suite. More C-suite involvement will help to ensure that the Risk Management Framework is more effective when it is implemented.

The update will help to institutionalize critical enterprise-wide risk management preparatory activities enabling more cost-effective execution of the Framework at the system and operational level. NIST has also unified security and privacy concepts into the Framework to help organizations develop a more integrated approach to risk management.

The discussion draft of the updated NIST Risk Management Framework is open for comments until November 3, 2017. NIST said, “This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0.” Public comments will accepted when the public draft of the guidance is issued in November 2017.

NIST hopes to release the final draft of the updated Risk Management Framework for Information Systems and Organizations in January 2018, and the final publication in March 2018.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.