NIST SP 800-37 Rev. 2
NIST Special Publication (SP) 800-37 Risk Management Framework (RMF) Rev. 2, released in 2018
The NIST SP 800-37 RMF Rev. 2, released in 2018, updated the previous RMF by more fully integrating privacy into the RMF process. It also prioritizes security and privacy strategies/activities to focus on protecting an organization’s most critical assets and systems.
The update addresses how organizations can assess and manage risks to their data and systems by focusing on protecting the individual’s personal information, ties the risk framework more closely to NIST Cybersecurity Framework (CSF), incorporates supply chain risk management, and supports NIST 800-53 Rev. 5’s security and safety safeguards. These objectives tie C-level execs more closely to operations and reduce an organization’s IT footprint and attack surface.
Addition of an Important Step to
Risk Management: Prepare
The Prepare step addresses key organizational and system-level activities that can lead to efficient and cost-effective risk management processes.
Organization-level activities include:
- Assigning key roles and identifying key stakeholders
- Establishing a risk management strategy
- Understanding threats to information systems and organizations.
System-level activities include:
- Determining the types of information the system processes, stores, and transmits
- Conducting a system risk assessment
- Identifying security and privacy requirements applicable to the system and its environment
The primary objectives of organization-level and system-level preparation are to:
- Align organizational priorities with resource allocation and prioritization at the system level
- Determine acceptable limits for selecting and implementing controls within the organization’s risk tolerance
- Promote organization-wide identification of common controls and development of tailored control baselines to address specific needs and reduce costs of system development and protection
- Reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services
Speak With a CISO Global Security Specialist Today
Our experts maintain the most respected credentials in
the industry across cybersecurity, risk and compliance,
forensics, incident response, ethical hacking, security engineering, and more.