- The National Institute of Standards and Technology released the final version of its Risk Management Framework (RMF), addressing both privacy and security concerns around IT risk management.
All federal agencies are required to follow the framework, according to a notice from the Office of Management and Budget. The framework outlines the need for collaboration on assessments and plans around privacy and security, as crucial to authorization decisions.
“The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision,” according to the framework.
Most notably, NIST added a “Prepare” step to the framework, added “to achieve more effective, efficient, and cost-effective security and privacy risk management processes,” officials said. The step includes assigning key roles to individuals, publishing common controls, and continuous monitoring of the controls’ effectiveness.
The framework also included a call for the maximum use of automation when executing the rules, as automation can bolster the assessment and continuous monitoring of controls, while preparing authorizations packages to make timely decisions. Officials noted that automation can also support ongoing authorization approaches.
Officials said the update’s main objectives will help organizations “simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks.” These are the seven objectives addressed by the update:
- Better communication and linkage of risk management activities and processes among C-suite members, governance-level employees, and the entire organization
- Implement risk management preparation at all levels
- Demonstrate how the NIST Cybersecurity Framework aligns with RMF
- Insert privacy risk management rules into the RMF
- Promote secure software and systems development into RMF to support privacy programs
- Add security-related supply chain risk management into RMF, which addresses untrustworthy suppliers, counterfeit insertion, tampering, unauthorized production, theft, malicious code insertion, and poor manufacturing and development processes.
- Support organization-generated control selection approach to complement traditional baseline control, along with bolstering the NIST consolidated control catalog.
EU’s General Data Protection Regulation and the ongoing Facebook scandal around how data is used has shifted the health security conversation into a more privacy-centered focus. NIST officials said the RMF is “the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.”