The NIST Risk Management Framework (NIST SP 800-37, RMF) is a set of rules and guidelines a company must follow in designing, implementing, and operating its information system. Its goals are to ensure that the organization utilizes appropriate information risk management strategies in regard to data privacy and security (Scherer, 2020). The framework describes a cyclical process consisting of seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor (National Institute of Standards and Technology [NIST], 2018).
While these steps are described sequentially, the RMF allows and expects a degree of flexibility and divergence from the proposed order of steps if effectiveness and efficiency require it (NIST, 2018). Since the steps are cyclical, once the final step is completed, the framework dictates observation of the currently implemented procedures and performing the steps again to refine and improve them.
The first step, Prepare, calls for assigning key roles within the organization, performing risk assessment, and implementing a control effectiveness strategy. During the Categorize step, the characteristics of the information system are documented and information handled by the system is categorized by impact level from a loss of confidentiality, integrity, or availability (NIST, 2018). In the Select step, controls for the system are determined, and a monitoring system for these controls is developed (NIST, 2018). The fourth step, Implement, calls for the actual implementation of these controls and recording of any information gleaned from the implementation process to improve the system in further iterations (NIST, 2018).
In the Assess step, the effectiveness of the implementation is verified and reports are prepared as to whether the controls are producing desired outcomes (NIST, 2018). The Authorize step has a senior management official to determine whether the security and privacy risks from operating the information system are acceptable (NIST, 2018). Finally, the Monitor step involves ongoing observation and analysis of the system to update and improve it (NIST, 2018). These steps represent a continuous process, where data is constantly obtained to inform the subsequent steps.
The importance of an information system risk management strategy cannot be overstated. As the world becomes more connected through the internet and more private or privileged data is stored in connected systems, the risk of attacks on this data, deliberate or otherwise, increases. Cybersecurity, however, is an emerging field, and standards and frameworks for information and data security are rapidly changing and improving, with appropriate enforcement systems only becoming implemented. Choosing a framework, such as the NIST SP 800-37, and adhering to it throughout the company’s lifetime is thus a crucial step in ensuring compliance once regulations are implemented.
Furthermore, protecting customers’ and employees’ personal data is a significant ethical concern, and additional steps to safeguard it are critical for an organization (Lee, 2017). Relatedly, accountability is critical in today’s business, and it is generally lacking in cybersecurity (Nasdaq, 2016). Part of this stems from an overall low level of education among business executives and specialists not directly involved in the field (Nasdaq, 2016). The RMF includes clauses related to improving accountability directly in its Assess and Authorize steps.
The RMF places additional emphasis on supply chain risks related to the operation of an information system. These are the risks to other organizations that are involved as suppliers of goods and services with the organization implementing the framework (Singh, 2019). Supply chain risk management strategies include identifying risks and preparing response and mitigation actions. This is another critical element of an organization’s information system security and risk management strategy as threat actors can leverage vulnerabilities in the supply chain’s information systems to execute an attack.
References
Lee, T. (2017). Companies should consider cybersecurity a matter of ethics. Government Technology. Web.
Nasdaq. (2016). Bridging the accountability gap: Why we need to adopt a culture of responsibility. Web.
National Institute of Standards and Technology. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy.
Scherer, T. (2020). What is NIST Special Publication 800-37 Revision 2? Reciprocity. Web.
Singh, D. (2019). Mitigating cybersecurity risks & compliance with NIST SP 800-37 Revision 2. Sedara. Web.
