New update out for NIST's Risk Management Framework
- By Sara Friedman
The National Institute of Standards and Technology is updating its Risk Management Framework to help public- and private-sector organizations better protect critical infrastructure and individuals' privacy.
The new version addresses how organizations can assess and manage risks to their data and systems by focusing on protecting individuals' personally identifiable information. Information security and privacy programs share responsibility for managing risks from unauthorized system activities or behaviors, the draft states, making their goals complementary and coordination essential.
The draft update also ties the risk framework more closely to the Cybersecurity Framework.
“Until now, federal agencies had been using the RMF and CSF separately,” NIST Fellow Ron Ross, one of the publication’s authors, wrote in a May 9 blog post. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF.”
While the frameworks are optional for the private sector, federal agency compliance with the RMF became mandatory under the Federal Information Security Modernization Act of 2014. Agencies were also directed to comply with the CSF under a May 2017 executive order.
The updated RMF also makes other changes:
- Integrating security and privacy into systems development.
- Connecting senior leaders to operations to better prepare for RMF execution.
- Incorporating supply chain risk management considerations.
- Supporting security and privacy safeguards from NIST’s Special Publication 800-53 Revision 5.
NIST is accepting comments on the draft until June 22. The new version of the RMF can be found here.