Final version of NIST’s Risk Management Framework 2.0 offers updated risk, security, and privacy guidance
The U.S Commerce Department’s National Institute of Standards and Technology (NIST) last month released an updated version of its Risk Management Framework to give participating organizations a more detailed methodology for mitigating risk and safeguarding critical digital assets.
The Lowdown: Geared at both government agencies and private businesses, the Risk Management Framework 2.0 adds integrated data privacy protection principals and processes, as well as tighter alignment with the popular NIST Cybersecurity Framework (CSF), a collection of technical controls for protecting organizations and their data.
The Details: In addition to its new privacy provisions, the Risk Management Framework 2.0 (technically NIST Special Publication 800-37 Revision 2) now includes a preliminary preparation step in its methodology. The “Prepare” step calls for assigning specific risk management roles, documenting and publishing existing controls, and establishing a process for monitoring the effectiveness of the controls over time.
RMF 2.0 also champions the use of automation and orchestration technologies in risk management and mitigation. Such tools are crucial to “the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches,” The NIST framework authors wrote.
The Impact: Coupled with the NIST CSF, the new NIST risk guidance gives MSPs and MSSPs a well-documented way to apply consistent risk management processes and controls for clients in a variety of vertical industries, especially those with strict regulatory requirements around data integrity and confidentiality requirements.
Background: NIST released the updated risk framework after seven months of consultation with federal stakeholders and a public comment period. Like the CSF, the RMF 2.0 is mandatory for federal agencies and serves as suggested guidance for private-sector organizations.
The Buzz: The updated risk framework offers users “a very powerful tool to manage both security and privacy risks from a single, unified framework,” NIST fellow and framework co-author Ron Ross said. “It ensures the term compliance means real cybersecurity and privacy risk management, not just satisfying a static set of controls in a checklist.”
Channelnomics Point of View: Solution and service providers rolling out or expanding managed security practices rely on frameworks like the CSF and the RMF to keep their offerings repeatable and scalable. Taking advantage of the tighter integration between the technical controls of the CSF and the risk and privacy processes of the RMF 2.0 offers MSPs and MSSPs a formidable competitive differentiator in a crowded and noisy information security marketplace.