And Organizations: A System Life Cycle Approach for Security ...

The attached DISCUSSION DRAFT document (provided here for historical purposes), originally posted on September 28, 2017, has been superseded by the following publication:

Publication Number:

NIST Special Publication (SP) 800-37 Rev. 2 (Initial Public Draft)

Title:

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Publication Date:

May 9, 2018

? For the most current version of SP 800-37 Rev. 2, see .

? Information about the attached Draft publication can be found at:

? Information on other NIST Computer Security Division publications and programs can be found at:

Draft NIST Special Publication 800-37

Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

PRE-RELEASE MATERIAL

This publication contains comprehensive updates to the NIST Risk Management Framework including the incorporation of key concepts from the Cybersecurity Framework, the privacy risk management framework introduced in NIST Interagency Report 8062, and the systems security engineering framework defined in NIST Special Publication 800-160. The frameworks can be used in a complementary manner to manage security and privacy risks to information systems, organizations, and individuals.

The 800-37, Revision 2 discussion draft is intended to solicit feedback on the initial changes and updates proposed for the Risk Management Framework 2.0 in preparation for the Initial Public Draft that is targeted for release in the Fall 2017. The feedback received from the public workshop and the reviewers from the public and private sectors will be carefully considered and inform subsequent versions of this document.

JOINT TASK FORCE

DISCUSSION DRAFT

Draft NIST Special Publication 800-37

Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

September 2017

U.S. Department of Commerce

Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and Technology

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A SYSTEM LIFE CYCLE APPROACH FOR SECURITY AND PRIVACY

________________________________________________________________________________________________

Authority

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. ? 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A130.

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, OMB Director, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology Special Publication 800-37, Revision 2

Natl. Inst. Stand. Technol. Spec. Publ. 800-37, Rev. 2, 112 pages (September 2017)

CODEN: NSPUE2

Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts, practices, and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at .

Public comments will be accepted during the Initial Public Draft projected for publication in November 2017.

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: sec-cert@

All comments are subject to release under the Freedom of Information Act (FOIA).

PAGE i

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A SYSTEM LIFE CYCLE APPROACH FOR SECURITY AND PRIVACY

________________________________________________________________________________________________

Reports on Computer Systems Technology

The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology (IT). ITL's responsibilities include the development of management, administrative, technical, and physical standards/guidelines for the cost-effective security of other than national security-related information and protection of individuals' privacy in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information systems security and privacy and its collaborative activities with industry, government, and academic organizations.

Abstract

This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle. Applying the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the security and privacy controls deployed within organizational systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the currently established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.

Keywords

assess; authorization to operate; common control authorization; authorization to use; authorizing official; categorize; common control; common control provider; continuous monitoring; hybrid control; implement; information owner/steward; monitor; ongoing authorization; plan of action and milestones; privacy assessment report; privacy control; privacy plan; risk; risk assessment; risk executive function; risk management; risk management framework; threat intelligence; threat modelling; security assessment report; security control; security plan; senior agency information security officer; senior agency official for privacy; system development life cycle; system owner; system privacy officer; system security officer.

PAGE ii

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A SYSTEM LIFE CYCLE APPROACH FOR SECURITY AND PRIVACY

________________________________________________________________________________________________

Acknowledgements

This publication was developed by the Joint Task Force Interagency Working Group. The group includes representatives from the Civil, Defense, and Intelligence Communities. The National Institute of Standards and Technology wishes to acknowledge and thank the senior leaders from the Departments of Commerce and Defense, the Office of the Director of National Intelligence, the Committee on National Security Systems, and the members of the interagency working group whose dedicated efforts contributed significantly to the publication.

Department of Defense John A. Zangardi Acting DoD Chief Information Officer

Thomas P. Michelli Acting Principal Deputy and DoD Chief Information Officer

Essye B. Miller Deputy Chief Information Officer for Cybersecurity and DoD Senior Information Security Officer

John R. Mills Director, Cybersecurity Policy, Strategy, and International

Office of the Director of National Intelligence John Sherman Assistant DNI and Chief Information Officer

Sally Holcomb Deputy Chief Information Officer

Sue Dorr Director, Information Assurance Division and Chief Information Security Officer

Wallace Coggins Director, Security Coordination Center

National Institute of Standards and Technology Charles H. Romine Director, Information Technology Laboratory

Donna Dodson Cybersecurity Advisor, Information Technology Laboratory

Matt Scholl Chief, Computer Security Division

Kevin Stine Chief, Applied Cybersecurity Division

Ron Ross FISMA Implementation Project Leader

Committee on National Security Systems Essye B. Miller Chair

Cheryl Peace Co-Chair

Kevin Dulany Tri-Chair--Defense Community

Peter H. Duspiva Tri-Chair--Intelligence Community

Daniel Dister Tri-Chair--Civil Agencies

Ron Ross NIST, JTF Leader

Taylor Roberts OMB

Jordan Burris OMB

Jennifer Fabius The MITRE Corporation

Joint Task Force Interagency Working Group

Kevin Dulany Department of Defense

Ellen Nadeau NIST

Charles Cutshall OMB

Peter Duspiva Intelligence Community

Victoria Pillitteri NIST

Jeff Marron NIST

Kelley Dempsey NIST

Naomi Lefkovitz NIST

Chris Enloe NIST

Carol Bales OMB

A special note of thanks goes to Jim Foti and Elizabeth Lennon for their technical editing and administrative support. The authors also wish to recognize Kaitlin Boeckl, Jon Boyens, Kathleen Coupe, Jeff Eisensmith, Ned Goren, Matthew Halstead, Kevin Herms, Jody Jacobs, Ralph Jones, Martin Kihiko, Raquel Leone, Kirsten Moncada, Celia Paulsen, and the research staff from the NIST Computer Security and Applied Cybersecurity Divisions for their exceptional contributions in helping to improve the content of the publication.

PAGE iii

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A SYSTEM LIFE CYCLE APPROACH FOR SECURITY AND PRIVACY

________________________________________________________________________________________________

Finally, the authors also gratefully acknowledge the significant contributions from individuals and organizations in both the public and private sectors, nationally and internationally, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication.

Historical Contributions to NIST Special Publication 800-37

The authors acknowledge the many individuals who contributed to previous versions of Special Publication 800-37 since its inception in 2005. They include Marshall Abrams, William Barker, Beckie Bolton, Roger Caslow, Dominic Cussatt, Priscilla Guthrie, Gus Guissanie, Sherrill Nicely, Mark Morrison, Cita Furlani, Eustace King, William Hunteman, Gary Stoneburner, Peggy Himes, Arnold Johnson, Cheryl Roby, Marianne Swanson, Elizabeth Lennon, Dorian Pappas, Christian Enloe, John Streufert, Stuart Katzke, Peter Williams, Peter Gouldmann, John Gilligan, Richard Graubart, Esten Porter, Karen Quigg, George Rogers, and Glenda Turner.

PAGE iv

DRAFT NIST SP 800-37, REVISION 2

RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

A SYSTEM LIFE CYCLE APPROACH FOR SECURITY AND PRIVACY

________________________________________________________________________________________________

Notes to Reviewers

As we push computers to "the edge" building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission-essential operations and assets in the public and private sectors.

"...The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed..."

There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure--ensuring that those systems, products, and services are sufficiently trustworthy throughout the system development life cycle and provide the necessary resilience to support the economic and national security interests of the United States. System modernization, the aggressive use of automation, and the consolidation, standardization, and optimization of federal systems and networks to strengthen the protection for high-value assets, are key objectives for the federal government.

This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, the President's Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the nextgeneration Risk Management Framework (RMF) for systems and organizations.

There are four major objectives for this update--

? To provide closer linkage and communication between the risk management processes and activities at the C-suite level of the organization and the processes and activities at the system and operational level of the organization;

? To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level;

? To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case); and

? To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.

The addition of the organizational preparation step is one of the key changes to the RMF-- incorporated to achieve more effective, efficient, and cost-effective risk management processes. The primary objectives for institutionalizing organizational preparation are as follows:

? To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners--conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance;

PAGE v

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download