It doesn’t seem very long ago that I was writing about the newly released Risk Management Framework (RMF) and explaining the value of NIST SP 800-37 to our clients. With RMF Revision 2 just recently published in December of 2018, I thought it would be a good time to revisit the RMF and to highlight some of its key updates. Overall, the new version takes a more holistic approach to the risk management process, integrates privacy and adds RMF to the software development life cycle (SDLC). Revision 2 also includes information on aligning the RMF with NIST’s Cybersecurity Framework (CSF), supply chain and security engineering. Why should Tripwire clients become familiar with Rev 2? RMF Rev 2 now provides much broader and comprehensive guidance when managing risk in federal agencies and other organizations seeking to strengthen their risk management process. If you are new to the RMF, it is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been a core FISMA guidance document since 2004. NIST SP 800-37 guidance was the product of the Joint Task Force Transformation Initiative Interagency Working Group and is something that every agency of the U.S. government must now abide by and integrate into their processes. It was integrated into DoD instructions, and many organizations are now following its guidance for compliance to the RMF. For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).
Risk Management Framework Steps
As a recap, the RMF is a six-step process as illustrated below: Step 1: Categorize Information Systems Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information System Step 6: Monitor Security Controls
Purpose of Rev 2
The purpose of NIST Special Publication (SP) 800-37, Revision 2 was to further clarify and provide guidance for systems, individuals and organizations and to update it to include security and privacy. Per the NIST site, it includes:
- Providing a closer link and communication between the risk management processes along with the activities at the C-suite and the individuals processes, and activities at the system and operational level of the organization through the addition of the Prepare Step;
- Institutionalizing foundational risk management preparatory activities at all risk management levels;
- Demonstrating how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- Integrating privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- Promoting the development of trustworthy secure software and systems by aligning lifecycle-based systems engineering processes in NIST SP 800-160 Volume 1;
- Integrating security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code and poor manufacturing and development practices throughout the SDLC; and
- Allowing for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated security and privacy control catalog in NIST SP 800-53 Revision 5.
Of particular note was the inclusion of how to handle personally identifiable information (PII), the alignment between CSF and RMF, task references from NIST SP 800-160 with security engineering processes as well as implications for supply chain risk management (SCRM).
