By Kathryn Daily, CISSP, CAP, RDRP
NIST has officially released NIST 800-37 Rev 2 and dubbed it as “RMF 2.0.” The framework has been updated to include both cybersecurity and privacy to be key for an authorization decision.
“RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a single, unified framework,” said Ron Ross, a fellow at NIST. “It ensures the term compliance means real cybersecurity and privacy risk management–not just satisfying a static set of controls in a checklist.”
According to the framework, “The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision,”
BAI has long taught that “Prepare is Step 0” in its RMF fundamentals and In-Depth courses. RMF 2.0 makes preparation the official first step of the RMF process “to achieve more effective, efficient, and cost-effective security and privacy risk management processes.”
The update also calls for maximum use of automation in executing the RMF, calling the technology “particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches.”
The risk management framework lists seven objectives for the update:
- To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
- To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- To promote the development of trustworthy secure software and systems by aligning lifecycle-based systems engineering processes … with the relevant tasks in the RMF;
- To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5