NIST announces the final public draft Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations--A System Life Cycle Approach for Security and Privacy.
There are seven major objectives for this update:
The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.
In addition to seeking your comments on this final public draft, we are specifically seeking feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comment on how organizations would executive this task and how we might provide the most helpful discussion to assist organizations in the execution.
The public comment period for the draft publication is October 2 through October 31. Please submit comments using the available comment template to sec-cert@nist.gov.
Security and Privacy: audit & accountability, continuous monitoring, controls, planning, risk assessment
Applications: cybersecurity framework
Laws and Regulations: Executive Order 13800, Federal Information Security Modernization Act, Homeland Security Presidential Directive 7, OMB Circular A-130