And Organizations: A System Life Cycle Approach for ... - NIST

The attached DRAFT document (provided here for historical purposes), originally posted on October 2, 2018, has been superseded by the following publication:

Publication Number: NIST Special Publication (SP) 800-37 Rev. 2

Title:

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Publication Date:

12/20/18

? Final Publication: (which links to ).

? Related Information on CSRC:

Final:

? Information about the attached Draft publication can be found at:



Draft NIST Special Publication 800-37

Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

This publication contains comprehensive updates to the Risk Management Framework. These updates include an alignment with the constructs in the NIST Cybersecurity Framework; the integration of privacy risk management processes; an alignment with system life cycle security engineering processes; and the incorporation of supply chain risk management processes. Organizations can use the frameworks and processes in a complementary manner within the RMF to effectively manage security and privacy risks to organizational operations and assets, individuals, other organizations, and the Nation. This update includes organization-wide RMF tasks that are designed to prepare information system owners to conduct system-level risk management activities. The intent is to increase the efficiency and effectiveness of the RMF by establishing a closer connection to the organization's missions and business functions and improving the communications among senior leaders, managers, and operational personnel.

JOINT TASK FORCE

FINAL PUBLIC DRAFT

Draft NIST Special Publication 800-37

Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

October 2018

U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary

National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A System Life Cycle Approach for Security and Privacy

________________________________________________________________________________________________

1

Authority

2 This publication has been developed by NIST to further its statutory responsibilities under the 3 Federal Information Security Modernization Act (FISMA), 44 U.S.C. ? 3551 et seq., Public Law 4 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, 5 including minimum requirements for federal information systems, but such standards and 6 guidelines shall not apply to national security systems without the express approval of the 7 appropriate federal officials exercising policy authority over such systems. This guideline is 8 consistent with the requirements of the Office of Management and Budget (OMB) Circular A9 130.

10 Nothing in this publication should be taken to contradict the standards and guidelines made 11 mandatory and binding on federal agencies by the Secretary of Commerce under statutory 12 authority. Nor should these guidelines be interpreted as altering or superseding the existing 13 authorities of the Secretary of Commerce, OMB Director, or any other federal official. This 14 publication may be used by nongovernmental organizations on a voluntary basis and is not 15 subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

16

National Institute of Standards and Technology Special Publication 800-37, Revision 2

17

Natl. Inst. Stand. Technol. Spec. Publ. 800-37, Rev. 2, 176 pages (October 2018)

18

CODEN: NSPUE2

19 20

21

Certain commercial entities, equipment, or materials may be identified in this document to describe

22

an experimental procedure or concept adequately. Such identification is not intended to imply

recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or

23

equipment are necessarily the best available for the purpose.

24

There may be references in this publication to other publications currently under development by

25

NIST in accordance with its assigned statutory responsibilities. The information in this publication,

26

including concepts, practices, and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current

27

requirements, guidelines, and procedures, where they exist, remain operative. For planning and

28

transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

29

Organizations are encouraged to review draft publications during the designated public comment

30

periods and provide feedback to NIST. Many NIST publications, other than the ones noted above,

31

are available at .

32

33 34

35

Public comment period: October 2 through October 31, 2018

36

National Institute of Standards and Technology

37

Attn: Computer Security Division, Information Technology Laboratory

38

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

39

Email: sec-cert@

40

All comments are subject to release under the Freedom of Information Act (FOIA) [FOIA96].

PAGE i

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A System Life Cycle Approach for Security and Privacy

________________________________________________________________________________________________

41

Reports on Computer Systems Technology

42 The National Institute of Standards and Technology (NIST) Information Technology Laboratory 43 (ITL) promotes the U.S. economy and public welfare by providing technical leadership for the 44 Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference 45 data, proof of concept implementations, and technical analyses to advance the development 46 and productive use of information technology (IT). ITL's responsibilities include the development 47 of management, administrative, technical, and physical standards and guidelines for the cost48 effective security of other than national security-related information in federal information 49 systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach 50 efforts in information systems security and privacy and its collaborative activities with industry, 51 government, and academic organizations.

52

Abstract

53 This publication provides guidelines for applying the Risk Management Framework (RMF) to 54 information systems and organizations. The RMF provides a disciplined, structured, and flexible 55 process for managing security and privacy risk that includes information system categorization; 56 control selection, implementation, and assessment; system and common control authorizations; 57 and continuous monitoring. The RMF includes activities to prepare organizations to execute the 58 framework at appropriate risk management levels. The RMF also promotes near real-time risk 59 management and ongoing information system and common control authorization through the 60 implementation of continuous monitoring processes; provides senior leaders and executives 61 with the necessary information to make efficient, cost-effective, risk management decisions 62 about the systems supporting their missions and business functions; and incorporates security 63 and privacy into the system development life cycle. Executing the RMF tasks links essential risk 64 management processes at the system level to risk management processes at the organization 65 level. In addition, it establishes responsibility and accountability for the controls implemented 66 within an organization's information systems and inherited by those systems.

67

Keywords

68 assess; authorization to operate; authorization to use; authorizing official; categorize; common 69 control; common control authorization; common control provider; continuous monitoring; 70 control assessor; control baseline; hybrid control; information owner or steward; monitor; 71 ongoing authorization; plan of action and milestones; privacy; privacy assessment report; 72 privacy control; privacy plan; privacy risk; profile; risk assessment; risk executive function; risk 73 management; risk management framework; security; security assessment report; security 74 control; security plan; security risk; senior agency information security officer; senior agency 75 official for privacy; supply chain risk management; system development life cycle; system 76 owner; system privacy officer; system security officer; system-specific control.

PAGE ii

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A System Life Cycle Approach for Security and Privacy

________________________________________________________________________________________________

77

Acknowledgements

78 This publication was developed by the Joint Task Force Interagency Working Group. The group 79 includes representatives from the Civil, Defense, and Intelligence Communities. The National 80 Institute of Standards and Technology wishes to acknowledge and thank the senior leaders from 81 the Departments of Commerce and Defense, the Office of the Director of National Intelligence, 82 the Committee on National Security Systems, and the members of the interagency working 83 group whose dedicated efforts contributed significantly to the publication.

84 Department of Defense 85

86 Dana Deasy 87 Chief Information Officer

88 Essye B. Miller 89 Principal Deputy CIO and DoD Senior Information 90 Security Officer

91 Thomas P. Michelli 92 Acting Deputy CIO for Cybersecurity 93

94 Vicki Michetti 95 Director, Cybersecurity Policy, Strategy, International, 96 and Defense Industrial Base Directorate

Office of the Director of National Intelligence

John Sherman Chief Information Officer

Vacant Deputy Chief Information Officer

Susan Dorr Director, Cybersecurity Division and Chief Information Security Officer

Wallace Coggins Director, Security Coordination Center

97 National Institute of Standards and Technology 98

99 Charles H. Romine 100 Director, Information Technology Laboratory

101 Donna Dodson 102 Cybersecurity Advisor, Information Technology Laboratory

103 Matt Scholl 104 Chief, Computer Security Division

105 Kevin Stine 106 Chief, Applied Cybersecurity Division

107 Ron Ross 108 FISMA Implementation Project Leader

Committee on National Security Systems

Edward Brindley Chair

Susan Dorr Co-Chair

Kevin Dulany Tri-Chair--Defense Community

Peter H. Duspiva Tri-Chair--Intelligence Community

Vacant Tri-Chair--Civil Agencies

109

110 Ron Ross 111 NIST, JTF Leader

112 Taylor Roberts 113 OMB 114 Jordan Burris 115 OMB 116 Jeff Marron 117 NIST 118 Dorian Pappas 119 CNSS

Joint Task Force Interagency Working Group

Kevin Dulany DoD

Ellen Nadeau NIST

Charles Cutshall OMB

Kaitlin Boeckl NIST

Dominic Cussatt Veterans Affairs

Peter Duspiva Intelligence Community

Victoria Pillitteri NIST

Kevin Herms OMB

Kirsten Moncada OMB

Martin Stanley DHS

Kelley Dempsey NIST

Naomi Lefkovitz NIST

Carol Bales OMB

Jon Boyens NIST

Celia Paulsen NIST

PAGE iii

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A System Life Cycle Approach for Security and Privacy

________________________________________________________________________________________________

120 The authors also wish to recognize Matt Barrett, Kathleen Coupe, Jeff Eisensmith, Ned Goren, 121 Matthew Halstead, Jody Jacobs, Ralph Jones, Martin Kihiko, Raquel Leone, and the scientists, 122 engineers, and research staff from the Computer Security Division and the Applied Cybersecurity 123 Division for their exceptional contributions in helping to improve the content of the publication. 124 A special note of thanks goes to Jim Foti and Elizabeth Lennon for their excellent technical 125 editing and administrative support.

126 In addition, the authors wish to acknowledge the United States Air Force and the "RMF Next" 127 initiative, facilitated by Air Force CyberWorx, that provided the inspiration for some of the new 128 ideas in the RMF 2.0. The working group, led by Lauren Knausenberger, Bill Bryant, and Venice 129 Goodwine, included government and industry representatives Jake Ames, Chris Bailey, James 130 Barnett, Steve Bogue, Wes Chiu, Shane Deichman; Joe Erskine, Terence Goodman, Jason Howe, 131 Brandon Howell, Todd Jacobs, Peter Klabe, William Kramer, Bryon Kroger, Dihn Le, Noam Liran, 132 Sam Miles, Michael Morrison, Raymond Tom Nagley, Wendy Nather, Jasmine Neal, Ryan Perry, 133 Eugene Peterson, Lawrence Rampaul, Jessica Rheinschmidt, Greg Roman, Susanna Scarveles, 134 Justin Schoenthal, Christian Sorenson, Stacy Studstill, Charles Wade, Shawn Whitney, David 135 Wilcox, and Thomas Woodring.

136 Finally, the authors also gratefully acknowledge the significant contributions from individuals 137 and organizations in both the public and private sectors, nationally and internationally, whose 138 thoughtful and constructive comments improved the overall quality, thoroughness, and 139 usefulness of this publication.

140 141

HISTORICAL CONTRIBUTIONS TO NIST SPECIAL PUBLICATION 800-37

The authors acknowledge the many individuals who contributed to previous versions of Special Publication 800-37 since its inception in 2005. They include Marshall Abrams, William Barker, Beckie Koonge, Roger Caslow, John Gilligan, Peter Gouldmann, Richard Graubart, John Grimes, Gus Guissanie, Priscilla Guthrie, Jennifer Fabius, Cita Furlani, Richard Hale, Peggy Himes, William Hunteman, Arnold Johnson, Donald Jones, Stuart Katzke, Eustace King, Mark Morrison, Sherrill Nicely, Esten Porter, Karen Quigg, George Rogers, Cheryl Roby, Gary Stoneburner, Marianne Swanson, Glenda Turner, and Peter Williams.

PAGE iv

142

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A System Life Cycle Approach for Security and Privacy

________________________________________________________________________________________________

Notes to Reviewers

143 This is the final draft of NIST Special Publication 800-37, Revision 2. We have incorporated 144 changes to the publication in response to the comments received during the initial public 145 comment period. In addition to seeking your comments on those changes, we are also seeking 146 feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages 147 through which information passes, typically characterized as creation or collection, processing, 148 dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and 149 understanding all stages of the information life cycle have significant implications for security 150 and privacy. We are seeking comments on how organizations would execute this task and how 151 we might provide the most helpful discussion to assist organizations in the execution.

152 Your feedback on this draft publication is important to us. We appreciate each contribution 153 from our reviewers. The very insightful comments from both the public and private sectors, 154 nationally and internationally, continue to help shape the final publication to ensure that it 155 meets the needs and expectations of our customers. NIST anticipates publishing the final 156 version of this publication by December 2018.

157 - RON ROSS

158

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

PAGE v

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download