In December 2018, the National Institute of Standards and Technology (NIST) published an update for the Department of Defense Risk Management Framework (RMF). The comprehensive roadmap is officially titled NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
NIST published Revision 2 on December 20, 2018 as a first step toward providing security and risk management with an integrated and flexible methodology. In addition to the government implementing RMF 2.0 as a strategy, DoD contractors are required to meet standards as well.
The RMF describes processes that must be followed by all federal agencies in order to secure, authorize, and manage IT systems and cybersecurity capabilities and services. The next-generation RMF integrates privacy and adds RMF to the software development life cycle. Additionally, version two includes information on aligning the RMF with NIST’s Cybersecurity Framework, supply chain, and security engineering.
Ultimately, the updated documentation provides a broader, more comprehensive set of guidelines to manage risk in federal agencies and other organizations seeking to strengthen their risk management process.
The Seven Steps of RMF
The revision identifies seven major objectives. All are essential for the successful execution of the RMF, according to NIST.
- Provide a closer link and communication between risk management processes and activities at the C-suite level of the organization and the individuals processes, and activities at the system and operational level of the organization.
- Institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF.
- Demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes.
- Integrate privacy risk management principles into the RMF to support the privacy protection needs for which privacy programs are responsible.
- Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 with relevant steps in the RMF.
- Integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices.
- Provide an alternative organization-generated control selection approach to complement the baseline control selection approach.
A Look Inside the New “Prepare” Step
Most notably, RMF 2.0 includes a new “Prepare” step, outlining which activities are essential at organizational and information system levels to help manage security and privacy risks, including supply-chain risk .The new “Prepare” step is the best starting point to begin executing the RMF.
Its primary objectives include:
- Facilitate effective communication between senior leaders and executives on cybersecurity topics
- Facilitate organization-wide identification of common controls and development of organizationally-tailored control baselines, ultimately reducing workload on individuals, simplifying controls, and decreasing redundant work
- Reduce complexity of the IT and operations technology infrastructure by using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services
- Minimize the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk
- Identify, prioritize, and focus resources on the organization’s high-value assets that require increased levels of protection.
In summary, the key additions incorporated into the RMF 2.0 include:
- Alignment and integration with the NIST Cybersecurity Framework
- How to handle Personally Identifiable Information (PII)
- Incorporation of the Prepare step
- Task References from NIST SP 800-160 with Security Engineering Processes
- Implications for Supply Chain Risk Management
For all government vendors, this offers a new direction for best practices to follow. Discover more about the RMF 2.0 here.
Incorporated in 2005, PPT Solutions, Inc. provides systems and software engineering services to government and commercial aerospace organizations, including RMF compliance for Department of Homeland Security IT systems. PPT represents People, Processes, and Technology, and it is our goal to offer solutions that improve the effectiveness of these three things to work together for optimum performance. Find out more today!