NIST seeks comments on revision of risk management framework

The National Institute of Standards and Technology has released a second draft of Special Publication 800-39, titled 'Managing Risk from Information Systems: An Organizational Perspective,' for public comment.

NIST calls the document the flagship publication in the standards and guidelines it is developing under the Federal Information Security Management Act. It provides a framework for managing the risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the use of information systems. It builds on a foundation of best security practices for agency leaders, chief information officers, information system designers, developers and administrators, auditors, and inspectors general.

The current version of the document contains significant changes based on feedback on the first draft, released last fall. Comments on the current draft are being accepted at [email protected] until April 30. The changes include:
  • Linking the Risk Management Framework in SP 800-39 and the federal enterprise architecture to help integrate information security into organizational missions and business processes.
  • Guidance on applying the Risk Management Framework organizationwide, focusing initially on mission and business processes and subsequently on the information systems supporting those processes.
  • Extending recommendations in the Strategic Planning Considerations section to address issues dealing with sophisticated adversaries and advanced cyberattacks.
  • Consolidating the 'select' and 'supplement' steps in the framework into a single step that covers the selection of the initial security control baseline, application of tailoring guidance, and supplementation with additional controls based on an organizational assessment of risk.
  • Distributing the 'document' step in the framework across multiple steps, including the development of the security plan, security assessment report, and the plan of action and milestones.
  • Extending the application of security plans to information systems and the infrastructure supporting those systems to help ensure that all security controls needed to protect the mission and business processes of an organization are assigned to responsible parties with accountability for development, implementation and assessment.

SP 800-39 is being developed in collaboration with the Office of the Director of National Intelligence and the Defense Department as part of an effort to converge critical information security standards across government, including civilian agencies, the military and the intelligence community. The goal is a standardized approach to information security that builds on a common foundation while allowing communities of interest to define and respond to their unique security requirements.

In addition to developing the Risk Management Framework in SP 800-39, NIST is also revising SP 800-30, 'Risk Management Guide for IT Systems,' to focus exclusively on risk assessment as it applies to the steps in the framework. Revision 1 of SP 800-30 is expected to be published in July.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected