4 Critical Elements of the NIST Risk Management Framework

The world has become heavily dependent on technology. To deal with the challenges, the NIST risk management framework from the National Institute of Standards and Technology was developed. As the NIST explains, their risk management framework (RMF) incorporates concepts of their cybersecurity framework, systems security engineering, and privacy risk management concepts. In this article, we’ll cover the most pertinent things that you should know about the NIST framework.

Understanding the Most Recent Updates

The most recent update to the framework was produced in December 2018 and addressed many shortcomings that the NIST framework’s initial publication lacked. The latest iteration deals with helping departments assess and manage risk by focusing on protecting personal data. The responsibility for protecting this personal data is shared between information security and privacy programs. The NIST Cybersecurity Framework is already an accepted standard, which we covered in detail in a previous post. The new NIST Risk Management Framework ties itself heavily to the standards conceptualized by the cybersecurity framework.

Additionally, the NIST Risk Management Framework adds preparation before instituting its changes. The first step organizations are asked to pursue is addressing the most critical organizational and system-level activities. Organizational activities include understanding current threats to the information systems, developing and implementing the company’s risk management strategy, and understanding the vital stakeholders in the process. System-level prep also deals with identifying stakeholders, but specifically those that directly influence the system. Preparation at the system level also includes conducting a risk assessment on the existing system and terminating the security and privacy requirements necessary for the system to operate safely.

Supply Chain Risk Management (SCRM)

Within a supply chain, businesses are likely to interact with suppliers that may or may not have the same stringent security protocols introduced by their own risk management framework. To ensure that the system continues to perform as expected, personnel must verify that suppliers further up the supply chain conform to the NIST standards. Formal agreements or contracts should govern supplier operations such as storage, processing, and federal information transmission. The responsibility for ensuring that these standards are met falls to the organization through the authorizing personnel assigned to the supply chain.

Cloud and Shared System Authorization to Use

Authorization to Use (ATU) applies to all cloud and shared applications, systems, and services. Typically, it should be implemented if the information contained within a packet doesn’t originate within the organization itself. The stipulation is that the organization must review the incoming packet for risk following their risk management strategy. Since this authorization happens internally within the organization, it saves costs to the supplier who doesn’t need to get the data verified by an external investigating committee. Facility authorization extends this consideration, allowing systems existing within a particular environment to inherit the parent organization’s controls and privacy plans.

A Holistic Approach to Security and Privacy

Organizations that depend on technology to perform their functions don’t have the luxury of ignoring the institution’s cybersecurity needs. The latest iteration of the NIST Risk Management Framework seeks to integrate the existing risk management framework that the business has already developed. Additionally, senior management feels more connected to the operations needed to ensure security across the organization. Governance-level decisions can then be informed by the practices and implementations done on the risk management framework. The current framework also keeps all the most pertinent developments that the NIST cybersecurity framework already uses, giving it a basis to build on. If you’re interested in finding out how the Risk management Framework works within an organization, contact our offices today! We can assist you with your business’ NIST risk management framework strategy.