NIST Announces the Initial Public Draft of SP 800-37, Rev. 2

May 09

Editor’s Note: Executive Order 13800 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is available here. OMB Memorandum M-17-25 Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is available here.

From: NIST

NIST is delighted to share that the Initial Public Draft of NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, is available for public comment.

In response to Executive Order (E.O.) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, OMB Memorandum M-17-25, and the call to action by the Defense Science Board, this update to NIST Special Publication 800-37 (Revision 2) serves as the next-generation Risk Management Framework (RMF) for systems, organizations, and individuals.  Further, RMF 2.0 supports key objectives for the federal government – system modernization, the aggressive use of automation, and the consolidation, standardization, and optimization of federal systems and networks to strengthen the protection for high-value assets.

There are seven major objectives for this update:

  • To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • To institutionalize critical organization-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • To demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • To integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5;
  • To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF;
  • To integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • To provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach.

A public comment period for this draft document is open until June 22, 2018.  Please submit comments to sec-cert@nist.gov using the template found at https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *