NIST Updates Risk Management Framework

The updated RMF will interest federal agencies and contractors that do business with them because it connects the RMF with NIST's well-known Cybersecurity Framework and highlights relationships between the two documents.

The National Institute of Standards and Technology recently announced it has issued a draft update of its Risk Management Framework to help organizations more easily meet the goals of protecting the nation's critical assets from cybersecurity threats and also protect individuals' privacy. The RMF update is Draft NIST Special Publication 800-37 Revision 2, a guidance document to help organizations assess and manage risks to their information and systems. Previous versions of the framework were primarily concerned with cybersecurity protections from external threats, while the updated version adds an overarching concern for individuals' privacy.

NIST explained that the update will interest federal agencies and contractors that do business with them because it connects the RMF with NIST's well-known Cybersecurity Framework and highlights relationships between the two documents.

"Until now, federal agencies had been using the RMF and CSF separately," explained NIST's Ron Ross, one of the publication's authors. "The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you're using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks."

The update has several other important objectives, including:

  • Integrating security and privacy into systems development.
  • Connecting senior leaders to operations. The RMF provides guidance on how an organization's senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.
  • Incorporating supply chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities.
  • Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST's SP 800-53, Revision 5.

"It was imperative for us to figure out how these frameworks fit together. Many agencies are trying to follow both," said Ross, who said the privacy-enhanced RMF might be valuable to companies and organizations beyond the federal government, considering the high importance now being placed on privacy.

NIST is accepting comments from the public on the draft RMF until June 22, 2018. A final version will be issued in October 2018.

Download Center

HTML - No Current Item Deck
  • Free Safety Management Software Demo

    IndustrySafe Safety Management Software helps organizations to improve safety by providing a comprehensive toolset of software modules to help businesses identify trouble spots; reduce claims, lost days, OSHA fines; and more.

  • The Top 5 Safety and Technology Trends to Watch in 2019

    Get the latest on trends you can expect to hear more about in 2019, including continued growth of mobile safety applications, wearable technology, and smart PPE; autonomous vehicles; pending OSHA recordkeeping rulemaking; and increased adoption of international safety standard, ISO 45001.

  • Get the Ultimate Guide to OSHA Recordkeeping

    OSHA’s Form 300A posting deadline is February 1! Are you prepared? To help answer your key recordkeeping questions, IndustrySafe put together this guide with critical compliance information.

  • Safety Training 101

    When it comes to safety training, no matter the industry, there are always questions regarding requirements and certifications. We’ve put together a guide on key safety training topics, requirements for certifications, and answers to common training questions.

  • Conduct EHS Inspections and Audits

    Record and manage your organization’s inspection data with IndustrySafe’s Inspections module. IndustrySafe’s pre-built forms and checklists may be used as is, or can be customized to better suit the needs of your organization.

  • Industry Safe

OH&S Digital Edition

  • OHS Magazine Digital Edition - January 2019

    January 2019

    Featuring:

    • PREVENTING ERRORS
      Production vs. Safety 
    • EMERGENCY SHOWERS & EYEWASH
      Meeting the Requirements for Emergency Equipment
    • CONSTRUCTION SAFETY
      The State of Contractor Safety
    • FOOT PROTECTION
      The Three Keys to Effective Chemical Management
    View This Issue