For the past few years, the National Institute of Standards and Technology (NIST; formerly the National Bureau of Standards) and the National Security Agency (NSA) have been jointly developing a framework for computer security risk management. The need for this framework became increasingly apparent... See full abstract

For the past few years, the National Institute of Standards and Technology (NIST; formerly the National Bureau of Standards) and the National Security Agency (NSA) have been jointly developing a framework for computer security risk management. The need for this framework became increasingly apparent with the proliferation of personal computer-based risk management tools and approaches. Since many of these tools and approaches rarely contained descriptions of their underlying models, it has been difficult for users to make comparisons of their capabilities. The framework under development, which will identify/define elements of the risk management process and describe the functional relationships between the elements, will provide the means for comparing alternative approaches and for developing new risk management tools. This paper will focus on several key activities/events surrounding the development of the framework including the publication of NIST’s Guideline for Automatic Data Processing Risk Analysis, proliferation of PC-based software tools for risk management, development of the first strawman framework, the first Risk Management Model Builders Workshop, which led to a second strawman framework, and the second Model Builders Workshop. The paper concludes with an indication of future plans of NIST and NSA to continue the framework effort.
Hide full abstract