Understanding NIST’s new Risk Management Framework
The National Institute of Standards and Technology recently published the final version of its latest Risk Management Framework, gifting companies across all sectors with a comprehensive new roadmap as they look to seamlessly integrate their cyber-security, privacy, and supply-chain risk management processes.
NIST published Risk Management Framework (RMF) 2.0—formally called NIST Special Publication 800-37 Revision 2—on Dec. 20, 2018, following a seven-month consultation and comment period. Importantly, RMF 2.0 provides cross-references to NIST’s widely adopted Cybersecurity Framework (CSF) throughout the 183-page document, so that users of the RMF can see exactly where and how both frameworks align with one another.
Published in April 2018, the CSF has been widely adopted by many in the private sector as a yardstick against which companies measure their cyber-security practices relative to the threats they face. Cyber-security professionals, chief privacy officers, and even supply-chain risk managers can use RMF 2.0 in much the same way—by choosing the specific security and privacy controls that they need to implement within their own organizations. Moreover, the framework has been purposefully designed to be “technology neutral so that the methodology can be applied to any type of information system without modification.”