Request Demo

NIST Cybersecurity Framework

NIST Adds Privacy Measures into the Risk Management Framework (RMF)


The National Institute of Standards and Technology (NIST) has incorporated privacy measures in its recent draft update to the Risk Management Framework (RMF) to help organizations more easily protect the nation's critical assets.

Officially titled the Draft NIST Special Publication (SP) 800-37 Revision 2, the Risk Management Framework update that was just released in draft form, gives guidance to help organizations of all sizes and sectors perform adequate risk management against all of their sensitive company and customer information. There's a large focus on cybersecurity and how to manage the evolving threat landscape. The recent draft version of the RMF adds measures to protect the privacy of individuals and their data. It also focuses on educating organizations on how to better identify and respond to risks that concern personally identifiable information.

Both Federal agencies and Contractors do business with the Federal government are taking notice of the new RMF draft, as it relates directly to the increasingly popular NIST Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

One of NIST's publishers Ron Ross noted, “Until now, federal agencies had been using the RMF and CSF separately...The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

According to the NIST Blog, The update has several important objectives including the RMFi itself, which includes:

  • Integrating security and privacy into systems development. Building security and privacy into information systems at the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160, which addresses the engineering of trustworthy secure systems.
  • Connecting senior leaders to operations. The RMF provides guidance on how an organization’s senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.
  • Incorporating supply chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.
  • Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5.

According to NIST, "Now that the RMF is more aligned with the NIST Framework, Federal agencies will have greater clarity which are required to implement multiple frameworks. While adhering to the CSF is voluntary for private companies, its use for the federal government is mandatory under Executive Order 13800. Compliance with the RMF is mandatory for federal agencies in accordance with the Federal Information Security Modernization Act (FISMA). The RMF is also required and in widespread use in the Department of Defense and the intelligence community [CyberStrong makes the RMF assessment and reporting easy for Department of Defense and the supply chain for NIST SP 800-171 (DFARS Compliance) paired with the Risk Management Framework]

“It was imperative for us to figure out how these frameworks fit together,” Ross said. “Many agencies are trying to follow both.”

A more privacy-enhanced Risk Management Framework could be invaluable to organizations outside of the Federal sector - especially considering the data privacy and protection focus from the media and regulators as of late with GDPR and other events.

“Many folks are discovering how vulnerable they are with respect to their personal information and may begin to demand some standard level of protection,” Ross said. “If such a demand occurs, the government will be looking for clearly stated requirements for privacy, privacy safeguards, and a disciplined and structured process on how those controls could be applied. The timing of this publication could not be any better.”

You may also like

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
Government Shutdown Cybersecurity ...
on February 12, 2019

In January, CyberSaint CEO George Wrenn penned his thoughts on the impact of the government shutdown. In his post, George foresaw the outcome of the shutdown not being a future ...

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...