Revisiting the Risk Management Framework in Light of Revision 2

It doesn’t seem very long ago that I was writing about the newly released Risk Management Framework (RMF) and explaining the value of NIST SP 800-37 to our clients. With RMF Revision 2 just recently published in December of 2018, I thought it would be a good time to revisit the RMF and to highlight some of its key updates.

Overall, the new version takes a more holistic approach to the risk management process, integrates privacy and adds RMF to the software development life cycle (SDLC). Revision 2 also includes information on aligning the RMF with NIST’s Cybersecurity Framework (CSF), supply chain and security engineering.

Why should Tripwire clients become familiar with Rev 2? RMF Rev 2 now provides much broader and comprehensive guidance when managing risk in federal agencies and other organizations seeking to strengthen their risk management process.

If you are new to the RMF, it is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been a core FISMA guidance document since 2004. NIST SP 800-37 guidance was the product of the Joint Task Force Transformation Initiative Interagency Working Group and is something that every agency of the U.S. government must now abide by and integrate into their processes. It was integrated into DoD instructions, and many organizations are now following its guidance for compliance to the RMF.

For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).

Risk Management Framework Steps

As a recap, the RMF is a six-step (Read more...)