Updates to NIST Risk Management Framework

Jason L. Williams, JD, MSIT
Operations Director, Maize Analytics

The National Institute of Standards and Technology (NIST) released revision 2 of NIST SP 800-37, Risk Management Framework for Information Systems and Organizations in December 2018.^[1]The revision recognizes the importance of both information security and privacy:

“While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements. . . .” ^[2]

NIST lists the seven major objectives of the revised Risk Management Framework (RMF):

1. Provide a closer linkage between risk management and C-suite;
2. Institutionalize critical risk management preparatory activities at all organizational levels;
3. Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented with NIST RMF processes;
4. Integrate privacy risk management process into the RMF to support privacy needs;
5. Promote development of secure software and systems by aligning lifecycle-based systems with relevant tasks in the RMF;
6.  Integrate security-related, supply chain risk management concepts into the RMF; and
7. Support both organization-generated and baseline control selection, and support the consolidated control catalog in NIST SP 800-53, Revision 5^[3]

The NIST RMF system life cycle approach for security and privacy now consists of seven steps: prepare, categorize, select, implement, access, authorize, and monitor. ^[4]The addition of the “Prepare” step was a key change the RMF. This change was incorporated into the RMF to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”^[5]The institutionalization of organization and system level preparation can simplify RMF execution, assist in employment of innovative approaches to risk management, and increase automation for specifics tasks in the RMF.^[6]If an organization does not engage in adequate preparation, security and privacy can become too costly, demand too many skilled professionals, and produce ineffective solutions.^[7]

The process of implementing RMF tasks will vary from organization to organization and may require the organization to diverge from the sequential order outlined in in SP 800-37, revision 2.^[8]NIST 800-37, Appendix E, contains tables of the specific tasks associated with each step in the RMF along with responsibilities and supporting roles.^[9]

Privacy and security risk management processes complement one another but are not the same. NIST states, “While many privacy risks arise from unauthorized activities that lead to the loss of confidentiality, integrity, or availability of PII, other privacy risks result from authorized activities involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of PII that enables an organization to meet its mission or business objectives.”^[10]The management of privacy risks require specialized expertise.

The RMF recognizes the increasing need to manage risk in an organization’s supply chain due to the increasing reliance on products, systems and services provided by external providers.^[11]  Supply chain risks are often associated with an “organization’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed.”^[12]An organization must develop a supply chain risk management policy by coordinating efforts across the organization.^[13]

The release of NIST 800-37, Revision 2, demonstrates NIST’s ongoing efforts to provide a more robust, mature and efficient process of addressing privacy risk. Privacy risk management must begin with governance and C-suite involvement, systematically address and select controls, and continually assess and monitor privacy risk and controls for effectiveness and compliance.  The NIST efforts in developing a Privacy Framework, revising Special Publication 800-37, and integrating privacy controls in NIST SP 800-53, Revision 5, will give healthcare organizations the tools necessary to successfully engineer privacy protections into their systems lifecycle.

[1]Nat’l Inst. of Standards & Tech., U.S. Dep’t. of Commerce, NIST Special Pub. 800-37, Rev. 2, Risk Management Framework for Information Systems and Organizations (Dec. 2018) [hereinafter NIST SP 800-37], https://doi.org/10.6028/NIST.SP.800-37r2.
[2]Id. at vi (quotingOffice of Management and Budget, Circular A-130, Managing Information as a Strategic Resource (July 2016), https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a13 0revised.pdf.)
[3]NIST SP 800-37, supranote 1, at v.
[4]Id.at ch. 3. The purpose of each step in the RMF process are:
● PREPARE: “The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information systems level of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.” Id. at 28.
● CATEGORIZE: “The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.” Id.at 46
● SELECT: “The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.” Id.at 50.
● IMPLEMENT: The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation.” Id.at 58.
● ASSESS: The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.”Id.at 61.
● AUTHORIZE: “The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.” Id. at 69.
● MONITOR: “The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.” Id. at 76.
[5]NIST SP 800-37, supranote 1, at vi.
[6]Id.at vi – vii.
[7]Id.at 8.
[8]Id.at 23.
[9]Id.app. E, at 126-38.
[10]Id.at 1.
[11]Id.at 20.
[12]Id.
[13]Id.at 20-21