<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Risk Management Framework, Cyber Risk Management Frameworks

NIST Adds Privacy Measures into the Risk Management Framework (RMF)


The National Institute of Standards and Technology (NIST) has incorporated privacy measures in its recent draft update to the Risk Management Framework (RMF) to help organizations more easily protect the nation's critical assets.

Officially titled the Draft NIST Special Publication (SP) 800-37 Revision 2, the Risk Management Framework update that was just released in draft form, gives guidance to help organizations of all sizes and sectors perform adequate risk management against all of their sensitive company and customer information. There's a large focus on cybersecurity and how to manage the evolving threat landscape. The recent draft version of the RMF adds measures to protect the privacy of individuals and their data. It also focuses on helping organizations identify and respond to risks that concern personally identifiable information.

Both Federal agencies and Contractors do business with the Federal government are taking notice of the new RMF draft, as it relates directly to the increasingly popular NIST Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

One of NIST's publishers Ron Ross noted, “Until now, federal agencies had been using the RMF and CSF separately...The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

According to the NIST Blog, The update has several important objectives including the RMFi itself, which includes:

  • Integrating security and privacy into systems development. Building security and privacy into information systems at the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160, which addresses the engineering of trustworthy secure systems.
  • Connecting senior leaders to operations. The RMF provides guidance on how an organization’s senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.
  • Incorporating supply chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.
  • Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5.

According to NIST, "Now that the RMF is more aligned with the NIST Framework, Federal agencies will have greater clarity which are required to implement multiple frameworks. While adhering to the CSF is voluntary for private companies, its use for the federal government is mandatory under Executive Order 13800. Demonstrating compliance with the RMF is mandatory for federal agencies in accordance with the Federal Information Security Modernization Act (FISMA). The RMF is also required and in widespread use in the Department of Defense and the intelligence community [CyberStrong makes the RMF assessment and reporting easy for Department of Defense and the supply chain for NIST SP 800-171 (DFARS Compliance) paired with the Risk Management Framework]

“It was imperative for us to figure out how these frameworks fit together,” Ross said. “Many agencies are trying to follow both.”

A more privacy-enhanced Risk Management Framework could be invaluable to organizations outside of the Federal sector - especially considering the data privacy and protection focus from the media and regulators as of late with GDPR, California Consumer Privacy Act (CCPA), and other events. Managing privacy risk alongside IT and cyber risk is paramount to a successful risk management program. 

“Many folks are discovering how vulnerable they are with respect to their personal information and may begin to demand some standard level of protection,” Ross said. “If such a demand occurs, the government will be looking for clearly stated requirements for privacy, privacy safeguards, and a disciplined and structured process on how those controls could be applied. The timing of this publication could not be any better.”

You may also like

October Product Update
on October 3, 2022

Hey, Jimmy - is it really always 5 o’clock somewhere? If not, it should be! With this release, we’re focusing on empowering our customers to work smarter, not harder. Whether ...

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...