The NIST Special Publication (Revision 2) is this year’s second update, published as a response to the Executive Order signed by Trump meant to strengthen the Cybersecurity of federal network and critical infrastructure. This update aims to develop a sturdy, easy to use Risk Management Framework (RMF) for organizations and systems.
Importance of Digital Security
We are growing more depended on technology for everything, as the world progresses to a fully digital age. Soon, everything from dishwashers, cameras, smart homes, and other devices will be internet enabled and will communicate with each other. Other than common household appliances, the military systems, emergency services, the electric grid depend on the web and technology.
With each passing day, there are security breaches of organization systems, personal devices, and even government agencies. There is also rising fear of meddling of government systems by foreign countries such as the Chinese and Ru25ssian hacks. The first RMF framework by NIST created back in 2014 during the Obama administration was voluntary for adoption by non-federal bodies. This year NIST seems to be shifting from a non-regulatory body to ensure the conformity of agencies through auditing.
The NIST Special Publication (Revision 2)
In January 2017, the original Cybersecurity Framework published in 2014, received an update to encourage more adoption. The update was to add recommendations from security experts and make it easy to understand by simplifying vocabulary. Terms such as authentication and authorizations were clarified, and new concepts such as identify proofing added.
The new update is a discussion draft, which will receive an update in November 2017, final draft in 2018 and last publication in March 2017. The primary objectives are to ensure communications between the risk management processes and activities at the C-suite level in the organization. Also, the draft seeks to promote a more cost-effective implementation of the RMF for systems and organizations.
The RMF 2.0 also aims to show how the Cybersecurity Framework can be executed using existing NIST risk management processes. Finally, it seeks to integrate privacy concepts into the RMF and support use of the privacy control catalog defined in the previous NIST Special Publication in January.
Risk Management Framework Steps
Preparation: Includes the assignment of roles and responsibilities of participants in the risk management process. Identification of assets that need protection occurs and the information lifecycle determined.
Selection: The second step involves the selection of privacy controls to reduce risk and documentation of the controls. A monitoring strategy that matches the organization’s system is developed. Finally, the approval of selected security and privacy controls happens.
Assessment: Functions to monitor if the controls implemented by the organization work correctly to guarantee confidentiality and safety. After the findings, recommendations to weaknesses and deficiencies are proposed and implemented by updating the system.
Authorization: A senior management official ensures that the implemented privacy and security controls for risk management are acceptable.
Monitoring: Involves keeping track of changes and maintaining continuous awareness of the security and privacy posture of the system in supporting the risk management.
NIST Popularity is growing in the non-federal market, and adopting it could mean increased security through controls. The publication details the process and the stakeholders completely to ensure implementation of cyber management from agencies to small businesses.