UPDATED- NIST 800-37 Rev.2: Risk Management Framework for Information Systems and Organization's
NIST just released the FINAL NIST 800-37 Framework and it clearly delineates what we have been promoting for the past few years. The "Big Picture", the importance of an Enterprise Level Risk Management Framework and how the Cybersecurity Frameworks is integrated within it. On this blog, we will delineate the key areas that focus on what we have been saying across our site, blog, and YouTube channel.
Today, NIST published the latest update for NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy . This update to NIST Special Publication 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to Executive Order 13800, OMB Circular A-130, and OMB Memoranda M-17-25 and M-19-03. This is the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.
One of the key changes in this RMF update is the addition of the Prepare step, which was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.
Major UpdatesThere's Seven (7) key major updates for this publication and they are:
- Closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level;
- Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost effective execution of the RMF;
- Demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes;
- Integration of Privacy Risk Management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes on NIST 800-160, Volume 1 [SP 800-160v1], with the relevant tasks in RMF;
- To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- Help the organization delineate a section of controls approcach to compliment traditional baseline control section and support the use of upcoming NIST 800-53, Rev. 5 control catalog.
What is addressed by the new "PREPARE" step?The new step was integrated in order to achieve a more effective, efficient, and cost-effective security and privacy risk management process. The primary objectives are:
- To facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level;
- To facilitate organization-wide identification of common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection;
- To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services;
- To reduce the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk; and
- To identify, prioritize, and focus resources on the organization’s high value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.
How can the integration of the "PREPARE" step help organizations implementing the RMF process?Organization's that choose to implement the Risk Management Framework and leverage the "Prepare" Step, will be able to...
- Promote a consistent starting point for the implementation of the RMF framework;
- Maximize the use of common control's at the organization level to promote standardized, consistent, and cost-effective security and privacy capability inheritance;
- Maximize the use of shared or cloud-based systems, services, and applications to reduce the number of authorizations needed across the organization;
- Employ organizationally-tailored control baselines to increase the speed of security and privacy plan development and the consistency of security and privacy plan content;
- Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process;
- Maximize the use of automated tools to manage security categorization, control selection, assessment, and monitoring- related to the authorization process;
- Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections;
- Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings;
- Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system components, and services-- by employing the least functionality principle; and
- Make the transition to ongoing authorization a priority and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs.
How does the new framework addresses security and privacy concerns?The framework addresses them from two unique perspectives:
- An Information Systems Perspective- authorizing officials issue an authorization to operate or authorization to use for the system, accepting the security and privacy risks to the organization’s operations and assets, individuals, other organizations, and the Nation. Authorizing officials also consider the risk of inheriting common controls as part of their system authorizations.
- A Common Control Perspective - authorizing officials issue a common control authorization for a specific set of controls that can be inherited by designated organizational systems, accepting the security and privacy risks to the organization’s operations and assets, individuals, other organizations, and the Nation
Is this mandated for organizations?
No; however, it must be understood that NIST guidance is being adopted worldwide by many sectors and organizations outside of the government to address Cyber Attacks. The cybersecurity framework by itself will not function unless it is attached to an Enterprise Level Risk Management Framework.
In addition, the possibility of it being mandated cannot be ignored. Data deemed sensitive impacts all sectors and areas and it is why Europe implemented the General Data Protection Regulation (EU) 2016/679 ("GDPR") regulation that impacts data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) and expands to businesses across the world.
We will emphasize that, applying this strategically can have a high-level return on investment in the long run for the organization's who apply this methodology. Ideally, it is implemented during the startup process and/or while the organization is small; however, this can also be applied to mid-large organizations with strategic phases.
How can CyberAdeptness help?
Our focus from inception has been emphasizing the importance of an Enterprise Level Risk Assessment and the importance of NIST RMF Tiers 1 & 2. Therefore, we have done this process, have a specific methodology in place, and have the know-how on how to secure and limit risk across the Enterprise to what truly matters... mission critical systems and privilege users by ensuring the items under the new "PREPARE" step are tied to each organization's unique mission and business processes.
It simply validates what we have been saying from inception.
We work closely with organizations to implement this process by emphasizing the importance of an Enterprise Risk Assessment, which will then delineate a clear path on what the organization needs to focus on in order to comply with the requirements noted by prioritizing the implementation in phases based on it's business objectives and processes.This will alleviate the current cost of certifications and continuous monitoring.
Interested on learning more? Contact US via our site form at https://www.cyberadeptness.com
NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.