Date Published: September 2017
Planning Note (2/9/2018):
See the current publication schedule proposed by NIST; it may be subject to change.
NIST announces the release of a discussion draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update responds to the call by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the next-generation Risk Management Framework (RMF) for systems and organizations.
There are four major objectives for this update—
- To provide closer linkage and communication between the risk management processes and activities at the C-suite level of the organization and the processes and activities at the system and operational level of the organization.
- To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level.
- To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case).
- To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
The addition of the organizational preparation step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective risk management processes. The primary objectives for institutionalizing organizational preparation are as follows:
- To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners—conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance.
- To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection.
- To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models.
- To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
Recognizing that organizational preparation for RMF execution may vary from organization to organization, achieving the objectives outlined above can significantly reduce the information technology footprint and attack surface of organizations, promote IT modernization objectives, conserve security resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0—including how these changes work to achieve the primary objectives stated above.
Keywords assess; authorization to operate; common control authorization; authorization to use; authorizing official; categorize; common control; common control provider; continuous monitoring; hybrid control; implement; information owner/steward; monitor; ongoing authorization; plan of action and milestones; privacy assessment report; privacy control; privacy plan; risk; risk assessment; risk executive function; risk management; risk management framework; threat intelligence; threat modelling; security assessment report; security control; security plan; senior agency information security officer; senior agency official for privacy; system development life cycle; system owner; system privacy officer; system security officer.
Security Assessment and Authorization;