NIST seeks comments on revision of risk management framework

The National Institute of Standards and Technology has released a second draft of Special Publication 800-39, titled 'Managing Risk from Information Systems: An Organizational Perspective,' for public comment.

NIST calls the document the flagship publication in the standards and guidelines it is developing under the Federal Information Security Management Act. It provides a framework for managing the risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the use of information systems. It builds on a foundation of best security practices for agency leaders, chief information officers, information system designers, developers and administrators, auditors, and inspectors general.

The current version of the document contains significant changes based on feedback on the first draft, released last fall. Comments on the current draft are being accepted at [email protected] until April 30. The changes include:
  • Linking the Risk Management Framework in SP 800-39 and the federal enterprise architecture to help integrate information security into organizational missions and business processes.
  • Guidance on applying the Risk Management Framework organizationwide, focusing initially on mission and business processes and subsequently on the information systems supporting those processes.
  • Extending recommendations in the Strategic Planning Considerations section to address issues dealing with sophisticated adversaries and advanced cyberattacks.
  • Consolidating the 'select' and 'supplement' steps in the framework into a single step that covers the selection of the initial security control baseline, application of tailoring guidance, and supplementation with additional controls based on an organizational assessment of risk.
  • Distributing the 'document' step in the framework across multiple steps, including the development of the security plan, security assessment report, and the plan of action and milestones.
  • Extending the application of security plans to information systems and the infrastructure supporting those systems to help ensure that all security controls needed to protect the mission and business processes of an organization are assigned to responsible parties with accountability for development, implementation and assessment.

SP 800-39 is being developed in collaboration with the Office of the Director of National Intelligence and the Defense Department as part of an effort to converge critical information security standards across government, including civilian agencies, the military and the intelligence community. The goal is a standardized approach to information security that builds on a common foundation while allowing communities of interest to define and respond to their unique security requirements.

In addition to developing the Risk Management Framework in SP 800-39, NIST is also revising SP 800-30, 'Risk Management Guide for IT Systems,' to focus exclusively on risk assessment as it applies to the steps in the framework. Revision 1 of SP 800-30 is expected to be published in July.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected