As more and more Americans become increasingly alarmed at the ways companies, digital devices and social media sites collect, interpret and share their data, the Natation Institute of Standards and Technology released today Draft NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This draft responds to findings by the Defense Science Board, Executive Order 13800, and the Office of Management and Budget’s Policy Memorandum M-17-25 to develop the next-generation Risk Management Framework for information systems, organizations and individuals, according to a NIST release.
The Defense Science Board in its 2013 report, Resilient Military Systems and the Advanced Cyber Threat, provides an eye-opening assessment of the current vulnerabilities in the U.S. government, the U.S. critical infrastructure, and the systems that support the mission-essential operations and assets in the public and private sectors.
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”
“There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure — ensuring that those systems, products, and services are sufficiently trustworthy throughout the system development life cycle (SDLC) and can provide the necessary resilience to support the economic and national security interests of the United States. System modernization, the aggressive use of automation, and the consolidation, standardization, and optimization of federal systems and networks to strengthen the protection for high-value assets, are key objectives for the federal government,” NIST wrote.
Executive Order (E.O.) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure addresses the increasing interconnectedness of Federal information systems and requires agency heads to ensure appropriate risk management not only for the Federal agency’s enterprise, but also for the Executive Branch as a whole. The E.O. states:
“…The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities...”
“…Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents…”
OMB Memorandum M-17-25 provides implementation guidance to Federal agencies for E.O. 13800. The memorandum states:
“… An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency’s mission and the delivery of services to the public. Such risks include, but are not limited to, strategic, market, cyber, legal, reputational, political, and a broad range of operational risks such as information security, human capital, business continuity, and related risks…”
“… Effective management of cybersecurity risk requires that agencies align information security management processes with strategic, operational, and budgetary planning processes…”
Compliance with the RMF is mandatory for federal agencies in accordance with the Federal Information Security Modernization Act (FISMA). The RMF is also required and in widespread use across the Department of Defense and the intelligence community.
Expanding its efforts to protect the nation’s critical assets from cybersecurity threats, as well as protect individuals’ privacy, the new guidance will help organizations more easily meet these goals. This newest update will also assist federal agencies and contractors that do business with them because it connects the RMF with NIST’s recognized Cybersecurity Framework (CSF), signaling the relationships that exist between the two documents, according to NIST.
In addition to the RMF-CSF linkage, NIST takes it a step further and recommends that system developers use other NIST guidance and publications that will provide clarity for federal agencies, which are required to implement multiple frameworks.
NIST Special Publication 800-37 (Revision 2) has several important objectives, including:
- Integrating security and privacy into systems development. Building security and privacy into information systems at the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160 which addresses the engineering of trustworthy secure systems.
- Connecting senior leaders to operations. The RMF provides guidance on how an organization’s senior leaders can better prepare for RMF execution, as well as how to communicate their protection plans and risk management strategies to system implementers and operators.
- Incorporating supply chain risk management considerations. The RMF addresses growing supply chain concerns in the areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.
- Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s Special Publication 800-53 Revision 5.
Resolving the Challenges
The guidelines are designed to achieve security and privacy protections for organizational information and systems through the implementation of appropriate risk response strategies.
Finally, the guidelines meet three additional objectives: “(1) to facilitate the implementation of the Framework for improving critical infrastructure cybersecurity; (2) to ensure that security and privacy requirements and controls are effectively integrated into the enterprise architecture, system development life-cycle processes, acquisition processes, and systems engineering processes; and (3) to support consistent, informed, and ongoing authorization decisions, transparency and traceability of security- and privacy-related information, and reciprocity,” NIST wrote.
A public comment period for NIST Special Publication 800-37 (Revision 2) is open until June 22, 2018. Please submit comments using the template found on the publication details page to firstname.lastname@example.org. NIST said a final version will be issued in October 2018.