NIST Risk Management Framework 2.0: What you Need to Know
Published on by Bryan Gayhart in SOC Reports, Technology
The National Institute of Standards and Technology (NIST) recently released version 2.0 of its Risk Management Framework (RMF). The RMF addresses security, privacy, and supply chain risk in an integrated manner.
One of the significant additions to the RMF is a step called Prepare. Prepare is intended to help organizations facilitate effective communication between executives and employees. It also guides users to enable enterprise-wide identification of privacy and security controls, reduce the complexity of IT systems and applications, eliminate unnecessary functions and, ultimately, to prioritize resources for high value assets and protect those accordingly.
The seven objectives of the RMF include:
- To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
- To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes … with the relevant tasks in the RMF;
- To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5
Contact Us
If you have questions please call Barnes Dennig at 513-241-8313 or click here to have a member of our assurance team contact you at no cost.