Professional Documents
Culture Documents
Presentation - NISTS RISK MANAGEMENT FRAMEWORK V2 CHANGES CHALLENGES AND WHAT YOU CAN DO NOW
Presentation - NISTS RISK MANAGEMENT FRAMEWORK V2 CHANGES CHALLENGES AND WHAT YOU CAN DO NOW
FRAMEWORK V2 –
CHANGES, CHALLENGES AND WHAT
YOU CAN DO NOW
4 APRIL 2019
YOUR PRESENTER
Ted@Chathamtech.com
LinkedIn
MY DISCLAIMER
▪ I am not an attorney
▪ FIPS 199
▪ FIPS 200
▪ SP 800-18
▪ SP 800-37
▪ SP 800-53
▪ SP 800-53A
▪ SP 800-160, Volumes I and II
▪ SP 800-171
▪ SP 800-171A
▪ NISTIR 8011
▪ NISTIR 8062
About 5000 pages if you include OMB Guidance
IMPORTANT NIST DOCUMENT CHANGES
NIST 800-53 R5
▪ Promoting integration with different risk management and
cybersecurity approaches and lexicons, including the cybersecurity
framework
▪ Clarifying the relationship between security and privacy to improve
the selection of controls necessary to address the full scope of
security and privacy risks
▪ Incorporating new, state-of-the-practice controls based on threat
intelligence and empirical attack data, including controls to
strengthen cybersecurity and privacy governance and
accountability
▪ Two new security control families have been added, bringing the
total to 20.
ANOTHER IMPORTANT CONCEPT
S-2:Control Tailoring
▪ Tailor the controls selected for the system and environment of operation
A-1:Assessor Selection
▪ Select the appropriate assessor or assessment team for the type of
control assessment to be conducted
NEW RMF STEPS
R-3:Risk Response
▪ Identify and implement a preferred course of action in response to the
risk determined
R-5:Authorization Reporting
▪ Report the authorization decision and any deficiencies in controls that
represent significant security or privacy risk.
REVISED RMF STEPS
S-3:Control Allocation
▪ Allocate security and privacy controls to the system and to the environment of
operation
▪ It’s new
▪ It can be started now
▪ Other steps may change as NIST documents are revised
BEFORE WE REVIEW THE NEW STEP 1
RISK ASSESSMENT—SYSTEM
TASK P-14 Conduct a system-level risk assessment and
update the risk assessment results on an ongoing basis.
Potential Inputs: Assets to be protected; missions, business
functions, and mission/business processes the system will
support; business impact analyses or criticality analyses;
system stakeholder information; information about other
systems that interact with the system; provider information;
threat information; data map; system design documentation;
Cybersecurity Framework Profiles; risk management strategy;
organization-level risk assessment results.
Expected Outputs: Security and privacy risk assessment
reports.
RISK ASSESSMENT—SYSTEM
TASK P-15 Define the security and privacy requirements for the
system and the environment of operation.
https://csrc.nist.gov/Projects/Risk-Management
https://csrc.nist.gov/Projects/cyber-supply-chain-risk-
management
https://www.nist.gov/itl/applied-cybersecurity/privacy-
engineering