IT disaster recovery, cloud computing and information security news

NIST consults on revision to information systems risk management guidance

The US NIST has published the final public draft of Special Publication 800-37, ‘Revision 2, Risk Management Framework for Information Systems and Organizations - A System Life Cycle Approach for Security and Privacy’ and is seeking comments. These should be submitted by the deadline of October 31st. 

There are seven major objectives for this update:

  • To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the risk management framework (RMF);
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
  • To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the relevant tasks in the RMF;
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.

The addition of the Prepare step is one of the key changes to the RMF - incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.

Read the draft publication and submit comments using the comment template to sec-cert@nist.gov.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.