Peter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF).  NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy.  The focus of the revised Framework, which is open for comment through October 31, 2018, is to integrate privacy and data security.  The RMF features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design.  One of the key changes to the Framework is the introduction of a new step in the RMF process – “Prepare.”  The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revision also seeks comment about a new task to improve the quality of privacy and security risk assessments, “identify[ing] and understanding all stages of the information life cycle.” In addition, the updated Risk Management Framework includes among others the following objectives, which strike some familiar notes:

    • Integrating security-related, supply chain risk management concepts into the RMF to address untrustworthy suppliers (e.g., poor manufacturing, counterfeits, tampering, malicious code, etc.);
    • Demonstrating how the NIST Cybersecurity Framework can be combined with the RMF to establish NIST risk management processes;
    • Allowing an organization-generated control selection approach to support the use of the consolidated control catalog in the pending NIST SP 800-53, Revision 5.

The revised RMF reflects the increasing trend, at NIST and more broadly in both the public and private sectors, toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.