NIST Offers Insight Into Updated Risk Management Framework

The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF). NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy. The focus of the revised Framework, which is open for comment through October 31, 2018, is to integrate privacy and data security. The RMF features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design. One of the key changes to the Framework is the introduction of a new step in the RMF process – “Prepare.” The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revision also seeks comment about a new task to improve the quality of privacy and security risk assessments, “identifying and understanding all stages of the information life cycle.” In addition, the updated Risk Management Framework includes among others the following objectives, which strike some familiar notes:

Integrating security-related, supply chain risk management concepts into the RMF to address untrustworthy suppliers (e.g., poor manufacturing, counterfeits, tampering, malicious code, etc.);
Demonstrating how the NIST Cybersecurity Framework can be combined with the RMF to establish NIST risk management processes;
Allowing an organization-generated control selection approach to support the use of the consolidated control catalog in the pending NIST SP 800-53, Revision 5.

The revised RMF reflects the increasing trend, at NIST and more broadly in both the public and private sectors, toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.

Register now for your free, tailored, daily legal newsfeed service.

NIST Offers Insight Into Updated Risk Management Framework
Blog Data Law Insights

Filed under

Organisations

Popular articles from this firm

Spotlight: tax residence and fiscal domicile in USA *

Potential disclosure of LLC beneficial owners in New York *

What’s in a Name? A Lot, Says the SEC *

Can AI Defame? We May Know Sooner Than You Think. *

Common Questions—and Answers—About A Potential Government Shutdown *

More from Data Law Insights

Catch Up Fast: The “Data Days” of Summer in China

The Future is Here: Senate Judiciary Committee’s Oversight of AI and Principles for Regulation

The First Text Cuts the Deepest: Eleventh Circuit Aligns with Other Circuits on TCPA Standing

California Privacy Rights Act Enforcement Delayed

FTC Policy Statement on Biometric Information and Section 5 of the FTC Act Frames Agency’s Approach to Deception and Unfairness, Signaling Enforcement Priorities

Related practical resources PRO

Related research hubs