Date Published: September 2017
Email Questions to:
Planning Note (02/09/2018):
See the current publication schedule proposed by NIST; it may be subject to change.
Author(s)
Joint Task Force
Announcement
NIST announces the release of a discussion draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update responds to the call by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the next-generation Risk Management Framework (RMF) for systems and organizations.
There are four major objectives for this update—
- To provide closer linkage and communication between the risk management processes and activities at the C-suite level of the organization and the processes and activities at the system and operational level of the organization.
- To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level.
- To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case).
- To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
The addition of the organizational preparation step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective risk management processes. The primary objectives for institutionalizing organizational preparation are as follows:
- To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners—conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance.
- To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection.
- To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models.
- To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
Recognizing that organizational preparation for RMF execution may vary from organization to organization, achieving the objectives outlined above can significantly reduce the information technology footprint and attack surface of organizations, promote IT modernization objectives, conserve security resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0—including how these changes work to achieve the primary objectives stated above.
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle. Applying the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the security and privacy controls deployed within organizational systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the currently established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment;...
See full abstract
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle. Applying the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the security and privacy controls deployed within organizational systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the currently established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.
Hide full abstract
Keywords
assess; authorization to operate; common control authorization; authorization to use; authorizing official; categorize; common control; common control provider; continuous monitoring; hybrid control; implement; information owner/steward; monitor; ongoing authorization; plan of action and milestones; privacy assessment report; privacy control; privacy plan; risk; risk assessment; risk executive function; risk management; risk management framework; threat intelligence; threat modelling; security assessment report; security control; security plan; senior agency information security officer; senior agency official for privacy; system development life cycle; system owner; system privacy officer; system security officer.
Control Families
Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment