• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Home

    Risk Management Framework Update: NIST publishes SP 800-37 Revision 2

    Dec. 26, 2018

    NIST published NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update to NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, OMB Circular A-130, Managing Information as a Strategic Resource, OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program.

    This is the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.

    There are seven major objectives for this update:

    1. Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
    2. Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
    3. Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
    4. Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
    5. Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1, with the relevant tasks in the RMF;
    6. Integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
    7. Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53 Revision 5.

    NIST hast the full release

    Continue Reading

    Sponsored Recommendations

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.

    Increasing Healthcare Security Behind and Beyond the Firewall

    Read how 5 identity security solutions can help you protect against these threats while improving user experience and reducing costs.

    Improve and Secure Healthcare Delivery with Digital Identity

    Get a deep understanding of how Digital Identity can help secure your healthcare organization while offering seamless access to your growing portfolio of apps and APIs.