The National Institute of Standards and Technology recently published the final version of its latest Risk Management Framework, gifting companies across all sectors with a comprehensive new roadmap as they look to seamlessly integrate their cyber-security, privacy, and supply-chain risk management processes.

Join the Compliance Week community

Receive the latest in corporate governance, risk, and compliance news from Compliance Week. Become a new member and get a one-year print & digital subscription for just $8/week.



Learn more

NIST published Risk Management Framework (RMF) 2.0—formally called NIST Special Publication 800-37 Revision 2—on Dec. 20, 2018, following a seven-month consultation and comment period. Importantly, RMF 2.0 provides cross-references to NIST’s widely adopted Cybersecurity Framework (CSF) throughout the 183-page document, so that users of the RMF can see exactly where and how both frameworks align with one another.

Published in April 2018, the CSF has been widely adopted by many in the private sector as a yardstick against which companies measure their cyber-security practices relative to the threats they face. Cyber-security professionals, chief privacy officers, and even supply-chain risk managers can use RMF 2.0 in much the same way—by choosing the specific security and privacy controls that they need to implement within their own organizations. Moreover, the framework has been purposefully designed to be “technology neutral so that the methodology can be applied to any type of information system without modification.”

One of the main objectives of RMF 2.0 is “to provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization,” NIST said.

Whereas earlier versions of the framework focused primarily on cyber-security protections from external threats, the new version has been enhanced with privacy risk-management processes “to better support the privacy protection needs for which privacy programs are responsible,” NIST said.

Although RMF 2.0 principally focuses on managing information-security and privacy risk, supply chain risk management (SCRM) concepts that overlap with these risks are also specifically incorporated in several areas of the framework to help promote a more holistic approach to managing security and privacy risks.

Because of the increased reliance on third parties and commercial-off-the-shelf products, systems, and services, attacks in the supply chain are increasing. “Adversaries are using the supply chain as an attack vector and effective means of penetrating our systems, compromising the integrity of system elements, and gaining access to critical assets,” NIST said.

“RMF 2.0 is the only framework in the world that integrates security, privacy, and supply-chain risks.”

Ron Ross, Fellow, NIST

Thus, RMF 2.0 incorporates SCRM processes with the overall objective, NIST said, “to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the [system development lifecycle].”

Ron Ross, a fellow with NIST and one of the report’s authors, says “RMF 2.0 is the only framework in the world that integrates security, privacy, and supply-chain risks.” While adoption of the RMF and CSF is mandatory only for federal agencies, many in the private sector can—and do—use it to enhance their own controls.

Tips for streamlining RMF implementation

Within NIST Special Publication 800-37 Revision 2, NIST provides a list of the following tips for streamling implementation.

  • Use the tasks and outputs of the organization-level and system-level “prepare” step to promote a consistent starting point within organizations to execute the RMF.
  • Maximize the use of common controls to promote standardized, consistent, and cost-effective security and privacy capability inheritance.
  • Maximize the use of shared or cloud-based systems, services, and applications where applicable, to reduce the number of organizational authorizations.
  • Employ organizationally tailored control baselines to increase the speed of security and privacy plan development, promote consistency of security and privacy plan content, and address organization-wide threats.
  • Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process.
  • Maximize the use of automated tools to manage security categorization; control selection, assessment, and monitoring; and the authorization process.
  • Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections.
  • Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings.
  • Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system elements, and services—employ least functionality principle.
  • Make the transition to ongoing authorization and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs.

Source: National Institute of Standards and Technology

“They may just use it on a voluntary basis because they want to protect their company’s assets, their information, their operations,” Ross says. “This is why we’re trying to bring more discipline and structure to the whole area of security and privacy.”

New ‘prepare’ step

In total, the framework includes seven steps, as well as a detailed summary of tasks and expected outcomes for each of those steps. “All seven steps are essential for the successful execution of the RMF,” NIST said.

Among its most significant changes, RMF 2.0 includes a new “prepare” step—the first step in the framework outlining which activities are essential at the organizational and information-system levels to help manage security and privacy risks, including supply-chain risk.

NIST recommends using the tasks discussed in the prepare step to promote a consistent starting point to execute the RMF. The intent of this step, NIST said, is to leverage activities that security, privacy, and supply-chain programs already conduct “to emphasize the importance of having organization-wide governance and the appropriate resources in place to enable the execution of cost-effective and consistent risk management processes across the organization.”

As discussed in RMF 2.0, preparation tasks may include, for example:

  • Assigning roles and responsibilities for organizational risk management processes;
  • Establishing a risk-management strategy that includes a determination of risk tolerance;
  • Identifying the missions, business functions, and business processes the information system is intended to support;
  • Identifying and prioritizing assets that require protection, including information assets;
  • Conducting organization- and system-level risk assessments; and more.

“Risk assessments of the organization’s supply chain may be conducted, as well,” NIST said. How to document SCRM strategies may vary. At the organization and business-process levels, for example, SCRM strategies can be documented in the company’s information-security program plan or in a separate business process-level SCRM strategy plan. For more guidance, turn to NIST’s SCRM strategy template in SP 800-161.

The remaining six steps, which NIST describes in significant detail, are:

  • Categorize the system and the information processed, stored, and transmitted by the system based on an impact analysis.
  • Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.
  • Implement the controls and describe how the controls are employed within the system and its environment of operation.
  • Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
  • Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, and other organizations is acceptable.
  • Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

For cyber-security professionals, chief privacy officers, and supply-chain risk managers seeking additional guidance, “we’re working on a companion publication, which should be out in a couple of months,” Ross says. That publication is NIST Special Publication 800-53, a catalog of security and privacy controls to be used alongside the Risk Management Framework.