NIST announces the release of a discussion draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update responds to the call by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the next-generation Risk Management Framework (RMF) for systems and organizations.
NIST Public Affairs Office also issued a press release of this discussion draft SP 800-37 Rev. 2.
There are four major objectives for this update—
The addition of the organizational preparation step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective risk management processes. The primary objectives for institutionalizing organizational preparation are as follows:
Recognizing that organizational preparation for RMF execution may vary from organization to organization, achieving the objectives outlined above can significantly reduce the information technology footprint and attack surface of organizations, promote IT modernization objectives, conserve security resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0—including how these changes work to achieve the primary objectives stated above. After the discussion draft, NIST anticipates publishing an initial public draft in November 2017, a final draft in January 2018, and the final publication in March 2018.
Security and Privacy: audit & accountability, controls, risk assessment
Applications: cybersecurity framework
Laws and Regulations: Federal Information Security Modernization Act, OMB Circular A-130