The National Institute of Standards and Technology today announced the release of the final public draft of its Risk Management Framework (RMF), opening the newly-revised document to one more round of public comment before the RMF is expected to be finalized by the end of the year.
The RMF, NIST SP 800-37 Revision 2, incorporates the latest round of comments, which were accepted until June 22. NIST has made a number of notable additions to the RMF as a result of that feedback.
“One of the key changes” flagged by the agency is the addition of a completely new risk management procedure, known as the Prepare step, which was “incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.”
Prepare delves into the assignment of risk management roles, developing a risk management strategy, and conducting risk assessments at the enterprise level. The objectives for this organization-level and system-level preparation, according to NIST, include more effective communication between executives and operational staff; identification of common controls and tailored control baselines; reducing complexity of IT and OT infrastructure; and placing increased emphasis on the protection of high-value assets.
Among the other major objectives for the new RMF update is a closer integration with NIST’s Cybersecurity Framework, “to demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes.”
NIST is also offering a more robust integration of supply chain risk management processes into the RMF, “to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices.”
NIST also flagged a particular section where it is looking for feedback, dealing with a new RMF task known as “Information Life Cycle.”
“The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion,” said NIST Fellow Ron Ross. “Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comments on how organizations would execute this task and how we might provide the most helpful discussion to assist organizations in the execution.”
Ross added that NIST anticipates publishing the final version of the RMF by December 2018. The public comment period is now open, and comments for the RMF will be accepted until October 31.