Featured Product
This Week in Quality Digest Live

More Videos

Operations Features
How Leaders Can Create a Pocket of Excellence in a Toxic Workplace
Jennifer V. Miller
Don’t write your company off just yet
$5 Million Grant Establishes Center to Advance Robotics in Poultry Processing
Fred Miller
University of Arkansas Division of Agriculture leads USDA-NIFA research partnership
Making Organizational Sustainability Work
Steve Calechman
How to do well and do good at the same time
Stay In Your Lane: How to Compete In a Saturated Market
Megan Wallin-Kerth
MasterControl’s Matt Lowe talks competition, data, and what quality does for a company
Titanic Robots Make Farming More Sustainable
Zach Winn
Autonomous machines snip weeds and preserve crops without herbicides

More Features

Operations News
AIM3D and Naddcon Team Up for Additive Manufacturing
Multimaterial 3D printer is integrated in the digital CAx process chain of Siemens NX
Marposs Acquires Digital Strategy Innovation
Strengthens data analysis and AI capability
SAKOR Technologies Releases DynoLAB GenV Next Generation Test Automation Controller
Even nonprogrammers can implement complex test systems and standards
WECO and Multiscan Technologies Form Strategic Partnership in North America
Alliance will help processors in the US, Canada, and Mexico
In-Place Machining Acquires Western Machine Works
Strategic partnership expands industrial machining and repair capabilities
SprutCAM Tech Releases Update for Free Robot Calibration Mobile App
Supports robots from 14 leading manufacturers
Waygate Launches Major Upgrade for Krautkrämer USM 100
Ultrasonic flaw detector now has B/C scan capability, improved connectivity, and an app to aid inspection
Bringing Autonomous Technology to the Construction Industry
ASI Construction partners with end users to deliver solutions to production operations
White House Launches First CHIPS for America Funding Opportunity
Implementing the CHIPS and Science Act

More News

NIST

Operations

NIST Updates Risk Management Framework to Incorporate Privacy Considerations

Helps organizations assess and manage risks to their information and systems

Published: Monday, June 11, 2018 - 12:01

Augmenting its efforts to protect the nation’s critical assets from cybersecurity threats as well as protect individuals’ privacy, the National Institute of Standards and Technology (NIST) has issued a draft update to its Risk Management Framework (RMF) to help organizations more easily meet these goals.

The RMF update, formally titled “Draft NIST Special Publication (SP) 800-37 Revision 2,” is a guidance document designed to help organizations assess and manage risks to their information and systems. Previous versions of the RMF were primarily concerned with cybersecurity protections from external threats. The updated version adds an overarching concern for individuals’ privacy, helping to ensure that organizations can better identify and respond to these risks, including those associated with using individuals’ personally identifiable information.

The update will interest federal agencies and contractors that do business with them, as it connects the RMF with NIST’s well-known Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

“Until now, federal agencies had been using the RMF and CSF separately,” says NIST’s Ron Ross, one of the publication’s authors. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

In addition to the RMF-CSF alignment, the update has several important objectives, including:

Integrating security and privacy into systems development. Building security and privacy into information systems during the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160, which addresses the engineering of trustworthy secure systems.

Connecting senior leaders to operations. The RMF provides guidance on how an organization’s senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.

Incorporating supply-chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can affect an organization’s systems and systems components.

Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5.

Aligning the RMF with other NIST guidance and publications will provide clarity for federal agencies, which are required to implement multiple frameworks. Although adhering to the CSF is voluntary for private companies, its use for the federal government is mandatory under Executive Order 13800. Compliance with the RMF is mandatory for federal agencies in accordance with the Federal Information Security Modernization Act (FISMA). The RMF is also required and in widespread use in the Department of Defense and the intelligence community.

“It was imperative for us to figure out how these frameworks fit together,” says Ross. “Many agencies are trying to follow both.”

Ross added that the privacy-enhanced RMF might be valuable to companies and organizations beyond the federal government, considering how high profile the subject of privacy has become of late.

“Many folks are discovering how vulnerable they are with respect to their personal information and may begin to demand some standard level of protection,” he says. “If such a demand occurs, the government will be looking for clearly stated requirements for privacy, privacy safeguards, and a disciplined and structured process on how those controls could be applied. The timing of this publication could not be any better.”

NIST is accepting comments from the public on the draft RMF until June 22, 2018. A final version will be issued in October 2018.

Discuss

About The Author

NIST’s picture

NIST

Founded in 1901, the National Institute of Standards and Technology (NIST) is a nonregulatory federal agency within the U.S. Department of Commerce. Headquartered in Gaithersburg, Maryland, NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.