The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework (RMF) to address security and privacy concerns for information systems, organizations and individuals.
NIST's RMF updates focus on the following objectives:
- Improving risk management process and activity communications between C-suite executives and all other business departments.
- Prioritizing risk management preparedness across all business departments.
- Aligning the NIST Cybersecurity Framework with RMF.
- Integrating privacy risk management processes into RMF.
- Helping organizations develop and leverage secure software and systems based on lifecycle systems engineering processes in NIST SP 800-160 Volume 1.
- Implementing supply chain risk management (SCRM) concepts into RMF.
- Enabling organizations to select security controls to complement traditional security baselines.
The RMF updates are designed to help organizations achieve "more effective, efficient and cost-effective security and privacy risk management processes," according to NIST. They also empower organizations to streamline risk management preparedness in the following ways:
- Driving communication between senior leaders and system owners at the operational level.
- Facilitating organization-wide identification of common security controls and the development of custom control baselines based on an organization's security challenges.
- Reducing the complexity of information technology and operations technology infrastructure.
- Eliminating unnecessary security and privacy capabilities that do not address security and privacy risks.
- Identifying and prioritizing high-value assets that require additional protection.
Organizations can use RMF to manage risk and increase automation, NIST said. That way, organizations can leverage RMF to strengthen their cybersecurity programs, processes and systems and address cyberattacks before they escalate.
NIST Requests Public Comments for Privacy Risk Management Framework
In addition to its RMF updates, NIST last month issued a request for public comments related to the development of a privacy risk management framework. NIST is accepting public comments on its privacy risk management framework until the end of the year and plans to host workshops and offer other opportunities that enable organizations to provide framework input.
The privacy risk management framework is designed to help organizations detect, assess, manage and communicate privacy risks, according to NIST. It also could help organizations develop and implement best practices to safely collect, store, use and share information, as well as help organizations align their policy, business, technological and legal approaches and incorporate privacy protections into their products and services.