In late December 2018, NIST published a second revision of SP800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. The revised publication addresses an updated Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to Executive Order 13800 and OMB Circular A-130 regarding the integration of privacy into the RMF process.
Now that the dust has settled, we are taking another look at the update. If achieved as intended, these objectives tie C-level execs more closely to operations and significantly reduce the information technology footprint and attack surface of organizations. They also promote IT modernization objectives, and prioritize security and privacy activities to focus protection strategies on the most critical assets and systems. It also more closely incorporates supply chain risk management into the framework.
A Closer Look At The Updates
This version of the publication addresses how organizations can assess and manage risks to their data and systems by focusing on protecting the personal information of individuals. Information security and privacy programs share responsibility for managing risks from unauthorized system activities or behaviors, making their goals complementary and coordination essential. The second revision of the RMF now ties the risk framework more closely to the NIST Cybersecurity Framework (CSF). The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF.
It also introduces an additional preparation step, addressing key organizational and system-level activities. On the organization level, these activities include assigning key roles, establishing a risk management strategy, identifying key stakeholders, and understanding threats to information systems and organizations. System level preparation activities include identifying stakeholders relevant to the system; determining the types of information processed, stored, and transmitted by the system; conducting a system risk assessment; and identifying security and privacy requirements applicable to the system and its environment.
Preparation can achieve efficient and cost-effective execution of risk management processes. The primary objectives of organization level and system level preparation are to:
- Facilitate better communication between senior leaders and executives in the C-suite, and system owners and operators.
- Align organizational priorities with resource allocation and prioritization at the system level
- Convey acceptable limits regarding the selection and implementation of controls within the established organizational risk tolerance
- Promote organization-wide identification of common controls and the development of tailored control baselines, to reduce the workload on individual system owners and the cost of system development and protection
- Reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models
- Identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection
- Facilitate readiness for system-specific tasks
The incorporation of supply chain risk management (SCRM) is another important theme addressed in the publication. Specifically, organizations must ensure that security and privacy requirements for external providers, including the controls for systems processing, storing, or transmitting federal information, must be delineated in contracts or other formal agreements. It is ultimately the responsibility of the organization and authorizing official to respond to risks resulting from the use of products, systems, and services from external providers.
Finally, SP800-37 Rev. 2 supports security and privacy safeguards from NIST’s Special Publication 800-53 Revision 5. The updated RMF document states that the revision 5 separates the control catalog from the control baselines that have been included historically in that publication. A new companion publication, NIST Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations, defines the recommended baselines.
In other changes to the RMF, Appendix F System and Common Control Authorizations now includes Authorization to Use (ATU) as an authorization decision applied to cloud and shared systems, services, and applications. It would be employed when an organization chooses to accept the information in an existing authorization package generated by another organization. Page 123 notes, “An authorization to use requires the customer organization to review the authorization package from the provider organization as the fundamental basis for determining risk… An authorization to use provides opportunities for significant cost savings and avoids a potentially costly and time-consuming authorization process by the customer organization.” Additionally, the appendix addresses a facility authorization, allowing systems residing within a defined environment to inherit the common controls and the affected system security and privacy plans.
Summing It Up
SP-800-37 promotes the integration of the agency’s privacy program into the RMF, allowing the organization to produce risk-related information on both the security and privacy posture of organizational systems and the mission/business processes supported by those systems. It also connects senior leaders to operations to better prepare for RMF execution, providing closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational levels of the organization. All in all, these are much-welcome changes to the framework, as better integration means tighter and more efficient controls that ensure assets are properly safeguarded by private and public sector organizations.
Author's note: Baan Alsinawi, president and founder of integrated risk management firm TalaTek, has more than two decades of experience in information technology (IT). She is a member of ISC2 and is CISSP and ITIL certified.