NIST Releases New Draft of 800-37 Revision 2

On May 9, NIST released a new draft of 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations; A System Life Cycle Approach for Security and Privacy.  This draft follows a Discussion Draft that was released in September 2017.

The new draft is broad in scope—with NIST encouraging use in both the government and private sectors.  Importantly, this draft integrates privacy risk management concepts into the Risk Management Framework.  Earlier versions of the Risk Management Framework focused solely on cybersecurity.  With this update, NIST is integrating privacy in an effort to add “an overarching concern for individuals’ privacy, helping to ensure that organizations can better identify and respond to these risks, including those associated with using individuals’ personally identifiable information.”  NIST previously made a similar effort at integrating privacy and security concerns in its 800-53 document, Security and Privacy Controls for Information Systems and Organizations.  

NIST has several additional objectives with this document, including:

  • To better link risk management processes at the C-Suite level with the activities at the system/operational level of an organization;
  • To align the Risk Management Framework with NIST’s Cybersecurity Framework; and
  • To facilitate more effective and efficient risk management;

Additionally, the new draft incorporates supply chain risk management considerations and issues, including “counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.”

NIST is accepting public comment on the draft until June 22.  A final version is expected October 2018. 

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek