NIST Releases New Draft of 800-37 Revision 2
On May 9, NIST released a new draft of 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations; A System Life Cycle Approach for Security and Privacy. This draft follows a Discussion Draft that was released in September 2017.
The new draft is broad in scope—with NIST encouraging use in both the government and private sectors. Importantly, this draft integrates privacy risk management concepts into the Risk Management Framework. Earlier versions of the Risk Management Framework focused solely on cybersecurity. With this update, NIST is integrating privacy in an effort to add “an overarching concern for individuals’ privacy, helping to ensure that organizations can better identify and respond to these risks, including those associated with using individuals’ personally identifiable information.” NIST previously made a similar effort at integrating privacy and security concerns in its 800-53 document, Security and Privacy Controls for Information Systems and Organizations.
NIST has several additional objectives with this document, including:
- To better link risk management processes at the C-Suite level with the activities at the system/operational level of an organization;
- To align the Risk Management Framework with NIST’s Cybersecurity Framework; and
- To facilitate more effective and efficient risk management;
Additionally, the new draft incorporates supply chain risk management considerations and issues, including “counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.”
NIST is accepting public comment on the draft until June 22. A final version is expected October 2018.