National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 revision 2 is a Risk Management Framework for Information Systems and Organizations: A System Lifecycle Approach for Security and Privacy.
NIST SP 800-37 rev 2 was published in December of 2018 and describes the Risk Management Framework (RMF) and guidelines on how to apply RMF to information systems.
The Special Publication is inline with the Office of Management and Budget (OMB) requirements, specifically the OMB circular a-130. The RMF outlines the necessary structure and processes to manage security, privacy, and risk. The framework includes information on security categorization, which controls to select, implement, assess, and continuously monitor.
The goal of the RMF is to prepare organizations to execute appropriate risk management activities through a life cycle. The framework also provides a cybersecurity roadmap to provide near real-time risk management on information systems with a decision tree supporting privacy and security.
Roles and responsibilities and a Summary of RMF Tasks can also be found in NIST SP 800-37 revision 2 to establish accountability and responsibility for controls within an organization’s information systems.
What’s new in NIST SP 800-37 r2?
Originally put together in 2005, NIST SP 800-37 revision 2 expanded in seven key areas in 2018:
- Closer communication between the risk management process and activities at the C-suite level in an organization. Particular focus is given to the governance level, processes, individuals, and system activities related to operations.
- Institute a more cost-effective and efficient execution of the RMF.
- Demonstrate how the NIST CSF can align with the RMF and be implemented using the NIST risk management process.
- Integrate privacy risk management processes into the RMF to support privacy and protection needs.
- Promote the development of trusted security software and systems.
- Integrate security-focused supply chain risk management (SCRM) concepts into the RMF to address risks related to suppliers.
- Allow an organization control selection approach to complement traditional baseline controls.
Fundamentals of NIST SP 800-37 r2
The RMF outlined in NIST SP 800-37 r2 provides guidelines regarding how best to manage security and privacy risks with focus on applying best practices to information systems. The management of security and privacy Is up to the senior leadership and executed by the team responsible for risk management strategy. Privacy protections and security protections for information systems and individuals are implemented with appropriate risk response strategies.
To support ongoing risk management processes, ongoing authorization decisions must be made. Whenever possible, integrating controls into the SDLC process is important to overall systems engineering. The fundamentals outlined in the RMF help organizations manage security and privacy risk to satisfy requirements related to the Federal Information Security Modernization Act (FISMA) of 2014.
Steps and Structure
Organization-wide risk management via the RMF begins with involvement from the entire organization. The RMF contains a three-tiered approach, or levels, to organization-wide risk management. Level one prepares an organization for the RMF. Level two helps the organization plan the execution of RMF at the mission/business process level. The third level addresses risk from the perspective of information systems. In contrast to the Level 1 and 2 activities that prepare the organization for the execution of the RMF, Level 3 addresses risk from an information system standpoint and are guided and informed by the risk decisions at the organization and mission/business process levels.
RMF Security and Privacy
To be effective, the RMF requires an information security program as well as a privacy program. Like most cybersecurity frameworks, the goal of an information security program is to provide confidentiality, integrity, and availability to the information systems level and the data layer.
Privacy programs ensure compliance with control frameworks that are used to protect Personally Identifiable Information (PII). The RMF is only effective when both information security and privacy programs are working together.
An example of this is when information systems are processing PII. Both the information security program and the privacy program are responsible to safeguard the information. If either stand-alone, information security is compromised.
Think of the RMF elements as an environment of operation. There are specific boundaries and systems elements that are authorized to function within a boundary. Granted, there are other systems outside the authorization boundary that feed information in as well as information going out. What matters is that the authorization boundaries are clearly defined by:
- Supporting business functions
- Have the same security and privacy requirements
- Process, store, and transmit similar types of data
- Reside in the same operating environment.
This diagram is taken directly from NIST SP 800-37 r2 and can be found at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
The relationship between requirements and security controls must be well understood before executing the RMF. A requirement tells someone what needs to be done while a control tells someone how to do it. Requirements in the RMF encompass legal, cyber, systems, and data.
A common control catalog framework to use as a reference is the NIST Cyber Security Framework (NIST CSF). Controls describe the approach to obtain organizational objectives. Controls often contain the technical aspects paired with the parameters of implementation.
Posture in Security and Privacy
The entire purpose of the RMF is to make sure that organizations and information systems are protected and decision-makers have accurate information in which to make risk-based decisions. To get this information, there need to be common controls and privacy/security posture assigned to each information system.
The security and privacy posture must outline the status of the information system and prove the management, health, and defensibility of the system. The organization must also prove that they can manage privacy risk, prevent tampering, and react to changes in organization or system.
Supply Chain Risk Management
In the new age of supply chain risk management (SCRM), organizations are responsible for the cybersecurity posture of their suppliers. The responsibility extends as far as a potential risk might impact the organization or organizational data. Organizations are growing more dependent on a supply chain for goods and services that they no longer make themselves.
The global economy has made sourcing incredibly easy but also exposed it to untrustworthy suppliers. A well-developed SCRM is imperative to combat the presence of third party risk. Think of SCRM as a system life cycle approach. Only in working together can the RMF and SCRM mitigate the overall risk contained in the supply chain.
Executing the Risk Management Framework
There are seven steps that the RMF utilizes for successful execution:
- Prepare the organization for the RMF by establishing context and priorities for managing security and privacy risk.
- Categorize the information systems and data.
- Select the controls that the systems and data need to reduce risk.
- Implement the controls and describe how the controls impact the system and data.
- Assess the controls to verify they are performing as intended.
- Authorize the common controls based on ongoing risk assessments.
- Monitor the systems and controls on an ongoing basis.
The RMF utilizes an SDLC approach to ensure that security and privacy requirements are followed for information systems and an organization. Information Technology and Security play a large role in bringing privacy requirements to implementation through privacy controls.
An organization’s development practices, systems engineering processes, and traditional baseline control selection approach make a huge difference in implementing the RMF. The key to a successful RMF implementation has a lot to do with continuous monitoring and being agile enough to make changes when deviations are detected.
Senior leaders of an organization need to be well informed to make risk-based decisions. Security assessments accompanied by risk assessments help an organization with its major objectives and establish a control baseline. In the end, the RMF makes the mission possible.