By Lon J. Berman CISSP, RDRP
The National Institute of Standards and Technology (NIST) is in the process of preparing Special Publication (SP) 800-37 Rev 2 for publication. As you may know, NIST SP 800-37 is the publication that defines the Risk Management Framework (RMF) roles, responsibilities and life cycle process. A review of the SP 800-37 Rev 2 Draft (hereafter referred to as simply “Rev 2”) reveals several significant changes and new content.
The title of Rev 2 has been changed from “Guide for Applying the Risk Management Framework to Federal Information Systems – A Security Life Cycle Approach” to “Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy.” This re-titling is significant in two ways. Firstly, the word “Federal” has been removed from the title. This is reflective of NIST’s desire to include private industry in its quest to make cyberspace a more secure place. Secondly, the word “Privacy” has been added, to further emphasize the critical connection between security and privacy – only with a strong security program can organizations protect the privacy of individuals.
Rev 2 addresses alignment of RMF with the NIST Cybersecurity Framework by providing specific cybersecurity framework “mapping” within the various RMF steps and activities.
Privacy risk management concepts are now integrated into the RMF life cycle. Rev 2 also encourages use of the consolidated security and privacy controls catalog in NIST SP 800-53 Rev 5. Rev 2 pays increased attention to supply chain risk management considerations, such as untrustworthy suppliers, counterfeiting, tampering, malicious code, etc. Rev 2 also provides an alignment of RMF with the systems engineering process as documented in NIST SP 800-160.
In terms of the RMF life cycle itself, a Prepare step has now been added in Rev 2. It is interesting to note that this Prepare step has long been a topic in our RMF training, where it is referred to as “Step 0”. Rev 2 also offers an organization generated control selection approach as an alternative to the traditional baseline control selection approach. Another public draft is slated for publication in July, with final publication of NIST SP 800-37 Rev 2 planned for October.
