The Risk Management Framework (RMF), a federal government policy pertaining to privacy and security standards, originates from just two documents, both authored by the National Institute of Standards and Technology (NIST).
Within NIST Special Publications 800-37 and 800-53, you can find the criteria that federal government agencies must follow in establishing adequate protections for their information systems.
Even beyond the federal government, the special publications outlining the RMF have made a significant impact across private sectors. Organizations looking to do business with federal agencies, and even those who are simply looking for cybersecurity best practices, have looked to the RMF for guidance. Agencies responsible for regulating private business sectors, such as the SEC, also have used the guideline to establish their own frameworks for compliance.
Considering the popularity of the RMF for establishing security standards, it should be no surprise that revisions to SP 800-37 and SP 800-53 have a significant impact in both private and public spheres. That’s why federal agencies and the businesses contracting with them are paying close attention to changes the NIST is planning to roll out through 2019.
If your organization uses the risk management framework as a foundation for security programs, you’ll want to make sure you are tuned in to the forthcoming changes, too, so you’re prepared to meet compliance goals in the coming months.
To that end, let’s take a look at the main revisions currently under consideration for these NIST special publications:
- Application to a wider range of tech assets: While the current version of SP 800-53 makes reference to information systems, the revised draft will omit the term “information.” While this seems like a minor modification, it is being done specifically to bring IoT devices under the RMF umbrella.
- Separating process from control set: The RMF standards were extracted from the fifth revision of SP 800-53. Within that document, the security and privacy controls within the RMF are embedded in a process that the federal government undertakes. Separating them from that context gives them greater reach outside the federal government.
- Executive participation: SP 800-37 now has a seventh step (where the previous version included six). This seventh step will require executive participation in cyber risk management.
Even small changes to the language contained in Special Publications 800-53 and 800-37 have a big effect on compliance efforts.
Working with a specialist in NIST policy to audit your program and address the gaps can help you keep you in line with the security and privacy framework. Lunarline has extensive experience with federal regulations and is happy to help your organization keep its RMF compliance intact. For more information on how we can help, contact us today.