Summary Thoughts on NIST Special Publication (SP) 800-37 Revision 2 (Draft)

Criterion | Cybersecurity CoE

Summary Thoughts on NIST Special Publication (SP) 800-37 Revision 2 (Draft)


By Dan Chandler, Cybersecurity & Privacy Strategic Advisor, Cybersecurity Center of Excellence, Criterion Systems, Inc.

The National Institute of Standards and Technology (NIST) recently announced the final public draft (FBD) of NIST SP 800-37, Revision 2 (Rev 2), Risk Management Framework for Information Systems and Organizations-A System Life Cycle Approach for Security and Privacy. NIST SP 800-37 provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations including defining RMF roles, responsibilities, and life cycle process. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information system categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.

The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

Changes in This Update

This update to NIST SP 800-37 Rev 2 responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation RMF for information systems, organizations, and individuals. One of the key changes is the change of the document title from “Guide for Applying the Risk Management Framework to Federal Information Systems – A Security Life Cycle Approach” to “Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy” is important in two ways. Firstly, the word “Federal” has been removed from the title to reflect NIST’s desire to include private industry and secondly, the word “Privacy” has been added to emphasize the critical connection between cybersecurity and privacy.

Another key change to the RMF is the addition of a “Prepare” step to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Yet another is the addition of a new RMF Task P-13, Information Life Cycle that describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. The importance of this revision is shown by the amount of time it has been under development and some of the changes highlighted below.

There are seven major objectives for this update:

  • To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization.
  • To institutionalize critical organization-wide risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF.
  • To demonstrate how the NIST Cybersecurity Framework (CSF) can be aligned with the RMF and implemented using established NIST risk management processes. NIST SP 800-37 Rev 2 addresses alignment of RMF with the NIST CSF by providing specific cybersecurity framework “mappings” within the various RMF steps and activities.
  • To integrate privacy risk management concepts, principals, and processes into the RMF to better support the privacy protection needs for which privacy programs are responsible. NIST SP 800-37 Rev 2 now integrates privacy risk management concepts into the RMF life cycle and also encourages use of the consolidated cybersecurity and privacy controls catalog in NIST SP 800-53 Rev 5.
  • To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160, Volume 1, with the relevant tasks in the RMF. NIST SP 800-37 Rev 2 also provides an alignment of RMF with the systems engineering process as documented in NIST SP 800-160.
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC. NIST SP 800-37 Rev 2 pays increased attention to SCRM considerations.
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53, Revision 5, which is still undergoing final update and review. NIST SP 800-37 Rev 2 also offers an organization-generated security control selection approach as an alternative to the traditional baseline security control selection approach.

Consideration and implementation of these actions will greatly enhance and smooth the integration of the RMF with the CSF and privacy at the Federal department and agency cybersecurity and privacy program level. One area of potential implementation weakness is the lack of an RMF/Security Assessment and Authorization (SA&A) maturity model, which would enable organizations to measure the maturity and effectiveness of their SA&A policies, processes, procedures, and guidance; reduce and better manage SA&A risks; and mature their overall cybersecurity and privacy program. Using such a model, they would have an effective program designed for their specific mission and business environment that is flexible enough to respond as requirements, threats, vulnerabilities, technologies, and operational environments change. A public comment period for the draft of NIST SP 800-37 Rev 2 is open until October 31, 2018.