The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0) addressing both privacy and security concerns around IT risk management.1 A risk management framework (RMF) is the structured process used to identify potential threats to an organization and to define the strategy for eliminating or minimizing the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy.
Officials say the updates are the first NIST publication to address risk management privacy and security with an integrated and robust methodology.
One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”
RMF 2.0 requires maximum use of automation in executing the framework rules to allow continuous assessment and monitoring of privacy and security controls, and the preparation of authorization packages for timely decision making.
NIST has listed seven main objectives for the updated RMF. Officials said the update’s main objectives will help organizations “simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks.” These are the seven objectives addressed by the update:
- Better communication and linkage of risk management activities and processes among C-suite members, governance-level employees, and the entire organization
- Implement risk management preparation at all levels
- Demonstrate how the NIST Cybersecurity Framework aligns with RMF
- Insert privacy risk management rules into the RMF
- Promote secure software and systems development into RMF to support privacy programs
- Add security-related supply chain risk management into RMF, which addresses untrustworthy suppliers, counterfeit insertion, tampering, unauthorized production, theft, malicious code insertion, and poor manufacturing and development processes.
- Support organization-generated control selection approach to complement traditional baseline control, along with bolstering the NIST consolidated control catalog.
The Office of Management and Budget (OMB) requires all states and agencies to follow RMF 2.0 to manage security and privacy risks. RMF 2.0 allows them to manage privacy and security risk in a single, unified framework.
According to NIST fellow, Ron Ross, “[RMF 2.0] ensures the term compliance means real cybersecurity and privacy risk management – not just satisfying a static set of controls in a checklist.”
“The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision,” according to the framework.
EU’s General Data Protection Regulation and the ongoing Facebook scandal around how data is used has shifted the data security conversation into a more privacy-centered focus. NIST officials said the RMF is “the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.”
- RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management. https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final