The National Institute of Standards and Technology has issued a Final Draft of Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy. The draft features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design.
One of the key changes is the introduction of a new step in the process: “Prepare.” The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revised RMF reflects the increasing trend toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.
