cybersecurity

NIST updates Risk Management Framework

The National Institute of Standards and Technology is updating its Risk Management Framework to help public- and private-sector organizations better protect critical infrastructure and individuals' privacy.  

The new version addresses how organizations can assess and manage risks to their data and systems by focusing on protecting individuals' personally identifiable information. Information security and privacy programs share responsibility for managing risks from unauthorized system activities or behaviors, the draft states, making their goals complementary and coordination essential.

The draft update also ties the risk framework more closely to the Cybersecurity Framework.

“Until now, federal agencies had been using the RMF and CSF separately,” NIST Fellow Ron Ross, one of the publication’s authors, wrote in a May 9 blog post. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF.”

While the frameworks are optional for the private sector, federal agency compliance with the RMF became mandatory under the Federal Information Security Modernization Act of 2014. Agencies were also directed to comply with the CSF under a May 2017 executive order.  

The updated RMF also makes other changes:

  • Integrating security and privacy into systems development.
  • Connecting senior leaders to operations to better prepare for RMF execution.
  • Incorporating supply chain risk management considerations.
  • Supporting security and privacy safeguards from NIST’s Special Publication 800-53 Revision 5.

NIST is accepting comments on the draft until June 22.  The new version of the RMF can be found here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group