NIST Adds Privacy Measures into the Risk Management Framework (RMF)

The National Institute of Standards and Technology (NIST) has incorporated privacy measures in its recent draft update to the Risk Management Framework (RMF) to help organizations more easily protect the nation's critical assets.

Officially titled the Draft NIST Special Publication (SP) 800-37 Revision 2, the Risk Management Framework update that was just released in draft form, gives guidance to help organizations of all sizes and sectors perform adequate risk management against all of their sensitive company and customer information. There's a large focus on cybersecurity and how to manage the evolving threat landscape. The recent draft version of the RMF adds measures to protect the privacy of individuals and their data. It also focuses on educating organizations on how to better identify and respond to risks that concern personally identifiable information.

Both Federal agencies and Contractors do business with the Federal government are taking notice of the new RMF draft, as it relates directly to the increasingly popular NIST Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

One of NIST's publishers Ron Ross noted, “Until now, federal agencies had been using the RMF and CSF separately...The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

According to the NIST Blog, The update has several important objectives including the RMFi itself, which includes:

  • Integrating security and privacy into systems development. Building security and privacy into information systems at the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160, which addresses the engineering of trustworthy secure systems.
  • Connecting senior leaders to operations. The RMF provides guidance on how an organization’s senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.
  • Incorporating supply chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.
  • Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5.

According to NIST, "Now that the RMF is more aligned with the NIST Framework, Federal agencies will have greater clarity which are required to implement multiple frameworks. While adhering to the CSF is voluntary for private companies, its use for the federal government is mandatory under Executive Order 13800. Compliance with the RMF is mandatory for federal agencies in accordance with the Federal Information Security Modernization Act (FISMA). The RMF is also required and in widespread use in the Department of Defense and the intelligence community [CyberStrong makes the RMF assessment and reporting easy for Department of Defense and the supply chain for NIST SP 800-171 (DFARS Compliance) paired with the Risk Management Framework]

“It was imperative for us to figure out how these frameworks fit together,” Ross said. “Many agencies are trying to follow both.”

A more privacy-enhanced Risk Management Framework could be invaluable to organizations outside of the Federal sector - especially considering the data privacy and protection focus from the media and regulators as of late with GDPR and other events.

“Many folks are discovering how vulnerable they are with respect to their personal information and may begin to demand some standard level of protection,” Ross said. “If such a demand occurs, the government will be looking for clearly stated requirements for privacy, privacy safeguards, and a disciplined and structured process on how those controls could be applied. The timing of this publication could not be any better.”

You can comment on the NIST draft Risk Management Framework until June 22, 2018. The final version will be issued in the month of October 2018.