New NIST Framework Strengthens Risk Management

Earlier this week, the National Institute of Standards and Technology (NIST) released the final version the risk management framework (RMF)–NIST SP 800-37 Revision 2, which addresses both security and privacy concerns in IT risk management.

NIST is a non-regulatory government agency that develops Federal Information Processing Standards (FIPS) that guide in protecting information and information systems. In our Security Risk Assessments, Netgain uses part of NIST’s cyber-security framework as a guiding document.

“This update in the NIST framework really signifies the significance of cybersecurity and the effect it has on our security landscape,” said Chris Dean, Netgain’s Healthcare Strategic Business Consultant. Chris specializes in Security Risk Analysis, which use, in part, the NIST framework of risk management.

“The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision,” the Framework states.

According to a Twitter post written by NIST Fellow Ron Ross, “RMF 2.0 is the first framework in the world to address security, privacy, and supply chain risk in an integrated manner — at the organization, mission/business process, and system levels.”

The new framework is meant to be a more comprehensive approach to privacy and security, addressing vulnerabilities throughout the entire life cycle and encouraging automation to help the process.

According to Healthcare IT Security, NIST Officials said the update’s main objectives will help organizations “simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks.”

One major change in the NIST Framework is the addition of a step called “Prepare.” This new step, which includes these seven user training and communication focused objectives, was created to “achieve more effective, efficient, and cost-effective security and privacy risk management processes,” according to the NIST agency. These are the seven objectives under the new “Prepare” step:

  1. Provide closer linkage and communication top executives and governance-level employees and the rest of the organization
  2. Create critical risk management preparatory activities at all necessary levels
  3. Show how the NIST Cybersecurity Framework can be aligned with the RMF
  4. Include privacy risk management in the RMF
  5. Promote trustworthy secure systems by aligning the RMF with NIST framework for engineering such secure systems
  6. Integrate supply chain risk management concepts into the RMF
  7. Enable organizations to generate a “control selection approach” as a complement to NIST SP 800-53 Revision 5 consolidated control catalog.

For more information or questions on how the new NIST framework might impact your organization, contact us for a consultation.

Check out HIMSS’s take on the new NIST framework.

Follow Us