NIST has just released Draft NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This new publication responds to calls by the Defense Science Board, Executive Order 13800, and the Office of Management and Budget’s Policy Memorandum M-17-25 to develop the next-generation Risk Management Framework for information systems, organizations, and individuals.
Draft SP 800-37 Revision 2 provides updated guidelines for applying the Risk Management Framework to information systems and organizations. The guidelines have been developed to ensure that managing system-related security and privacy risk is consistent with the mission and business objectives of an organization and the risk management strategy established by senior leadership. The guidelines also aim to achieve security and privacy protections for organizational information and systems through the implementation of appropriate risk response strategies. Also, the guidelines meet three additional objectives: 1) to facilitate the implementation of the Framework for Improving Critical Infrastructure Cybersecurity; 2) to ensure that security and privacy requirements and controls are effectively integrated into the enterprise architecture, system development life cycle processes, acquisition processes, and systems engineering processes; and 3) to support consistent, informed, and ongoing authorization decisions, transparency and traceability of security- and privacy-related information, and reciprocity.
A public comment period for this draft document is open until June 22, 2018. Please submit comments using the template found on the publication details page to sec-cert@nist.gov.
CSRC Update: https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-37-rev-2
NIST Press Release: https://www.nist.gov/news-events/news/2018/05/nist-updates-risk-management-framework-incorporate-privacy-considerations
Publication Details: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft