Jason L. Williams, JD, MSIT
Operations Director, Maize Analytics
The National Institute of Standards and Technology (NIST) released revision 2 of NIST SP 800-37, Risk Management Framework for Information Systems and Organizations in December 2018.The revision recognizes the importance of both information security and privacy:
“While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements. . . .” 
NIST lists the seven major objectives of the revised Risk Management Framework (RMF):
- Provide a closer linkage between risk management and C-suite;
- Institutionalize critical risk management preparatory activities at all organizational levels;
- Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented with NIST RMF processes;
- Integrate privacy risk management process into the RMF to support privacy needs;
- Promote development of secure software and systems by aligning lifecycle-based systems with relevant tasks in the RMF;
- Integrate security-related, supply chain risk management concepts into the RMF; and
- Support both organization-generated and baseline control selection, and support the consolidated control catalog in NIST SP 800-53, Revision 5
The NIST RMF system life cycle approach for security and privacy now consists of seven steps: prepare, categorize, select, implement, access, authorize, and monitor. The addition of the “Prepare” step was a key change the RMF. This change was incorporated into the RMF to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”The institutionalization of organization and system level preparation can simplify RMF execution, assist in employment of innovative approaches to risk management, and increase automation for specifics tasks in the RMF.If an organization does not engage in adequate preparation, security and privacy can become too costly, demand too many skilled professionals, and produce ineffective solutions.
The process of implementing RMF tasks will vary from organization to organization and may require the organization to diverge from the sequential order outlined in in SP 800-37, revision 2.NIST 800-37, Appendix E, contains tables of the specific tasks associated with each step in the RMF along with responsibilities and supporting roles.
Privacy and security risk management processes complement one another but are not the same. NIST states, “While many privacy risks arise from unauthorized activities that lead to the loss of confidentiality, integrity, or availability of PII, other privacy risks result from authorized activities involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of PII that enables an organization to meet its mission or business objectives.”The management of privacy risks require specialized expertise.
The RMF recognizes the increasing need to manage risk in an organization’s supply chain due to the increasing reliance on products, systems and services provided by external providers. Supply chain risks are often associated with an “organization’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed.”An organization must develop a supply chain risk management policy by coordinating efforts across the organization.
The release of NIST 800-37, Revision 2, demonstrates NIST’s ongoing efforts to provide a more robust, mature and efficient process of addressing privacy risk. Privacy risk management must begin with governance and C-suite involvement, systematically address and select controls, and continually assess and monitor privacy risk and controls for effectiveness and compliance. The NIST efforts in developing a Privacy Framework, revising Special Publication 800-37, and integrating privacy controls in NIST SP 800-53, Revision 5, will give healthcare organizations the tools necessary to successfully engineer privacy protections into their systems lifecycle.