Email this Article Email   

CHIPS Articles: NIST Issues ‘Approaches for Federal Agencies to Use the Cybersecurity Framework’

NIST Issues ‘Approaches for Federal Agencies to Use the Cybersecurity Framework’
By CHIPS Magazine - March 24, 2020
The National Institute of Standard and Technology published NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework featuring examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices.

The examples include support for an Enterprise Risk Management (ERM) approach in alignment with Office of Management and Budget (OMB) and the Federal Information Security Modernization Act (FISMA) requirements so that agency heads can “manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information,” NIST reported.

NIST recommended use of the “Cybersecurity Framework’s components should enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events.” Further, these activities can then be combined with those described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations; SP 800-39, Managing Information Security Risk; and other guidelines to form a comprehensive risk-based approach for security and privacy.

”This risk-based approach will assist agencies in determining the risks that are relevant to its mission throughout the operational lifecycle and apply an appropriate type and degree of resources to treat those risks to an acceptable level. Examples in this publication demonstrate the use of the Cybersecurity Framework, the NIST Risk Management Framework (RMF), and other models to evaluate and report agency goals and progress and to inform tailoring activities for managing cybersecurity risk appropriately. Use of a comprehensive cybersecurity risk-based approach, as demonstrated through these examples, supports agencies’ activities to meet their concurrent obligations to comply with the requirements of FISMA and Executive Order (EO) 13800,” NIST said in a release.

Publication:
NISTIR 8170 (DOI)
NIST Download

Laws and Regulations
Executive Order 13636
Federal Information Security Modernization Act

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer