The next meeting of the IT Governance board will include a set of orientation briefings for the new members. Your assignment, as a support staffer, is to help prepare for this orientation mee

NIST Special Publication 800-37

Revision 2

Risk Management Framework for

Information Systems and Organizations A System Life Cycle Approach for Security and Privacy

JOINT TASK FORCE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-37r2

This publication contains comprehensive updates to the Risk Management Framework. The updates include an alignment with the constructs in the NIST Cybersecurity Framework; the integration of privacy risk management processes; an alignment with system life cycle security engineering processes; and the incorporation of supply chain risk management processes. Organizations can use the frameworks and processes in a complementary manner within the RMF to effectively manage security and privacy risks to organizational operations and assets, individuals, other organizations, and the Nation. Revision 2 includes a set of organization-wide RMF tasks that are designed to prepare information system owners to conduct system-level risk management activities. The intent is to increase the effectiveness, efficiency, and cost-effectiveness of the RMF by establishing a closer connection to the organization’s missions and business functions and improving the communications among senior leaders, managers, and operational personnel.

NIST Special Publication 800-37 Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

JOINT TASK FORCE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-37r2

December 2018

U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary

National Institute of Standards and Technology

Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE i

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

Authority

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with requirements of the Office of Management and Budget (OMB) Circular A-130.

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, OMB Director, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology Special Publication 800-37, Revision 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-37, Rev. 2, 183 pages (December 2018)

CODEN: NSPUE2

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-37r2

Comments on this publication may be submitted to:

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected]

All comments are subject to release under the Freedom of Information Act (FOIA) [FOIA96].

Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts, practices, and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST. Many NIST publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE ii

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

Reports on Computer Systems Technology

The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology (IT). ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost- effective security of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information systems security and privacy and its collaborative activities with industry, government, and academic organizations.

Abstract

This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

Keywords

assess; authorization to operate; authorization to use; authorizing official; categorize; common control; common control authorization; common control provider; continuous monitoring; control assessor; control baseline; cybersecurity framework profile; hybrid control; information owner or steward; information security; monitor; ongoing authorization; plan of action and milestones; privacy; privacy assessment report; privacy control; privacy plan; privacy risk; risk assessment; risk executive function; risk management; risk management framework; security; security assessment report; security control; security engineering; security plan; security risk; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer; system-specific control.

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE iii

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

Acknowledgements

This publication was developed by the Joint Task Force Interagency Working Group. The group includes representatives from the Civil, Defense, and Intelligence Communities. The National Institute of Standards and Technology wishes to acknowledge and thank the senior leaders from the Departments of Commerce and Defense, the Office of the Director of National Intelligence, the Committee on National Security Systems, and the members of the interagency working group whose dedicated efforts contributed significantly to the publication.

Department of Defense Office of the Director of National Intelligence

Dana Deasy John Sherman Chief Information Officer Chief Information Officer

Essye B. Miller Vacant Principal Deputy CIO and DoD Senior Information Deputy Chief Information Officer Security Officer

Thomas P. Michelli Susan Dorr Acting Deputy Chief Information Officer for Cybersecurity Director, Cybersecurity Division and Chief

Information Security Officer

Vicki Michetti Wallace Coggins Director, Cybersecurity Policy, Strategy, International, Director, Security Coordination Center and Defense Industrial Base Directorate

National Institute of Standards and Technology Committee on National Security Systems

Charles H. Romine Thomas Michelli Director, Information Technology Laboratory Chair—Defense Community

Donna Dodson Susan Dorr—Intelligence Community Cybersecurity Advisor, Information Technology Laboratory Co-Chair

Matt Scholl Vicki Michetti Chief, Computer Security Division Tri-Chair—Defense Community

Kevin Stine Chris Johnson Chief, Applied Cybersecurity Division Tri-Chair—Intelligence Community

Ron Ross Paul Cunningham FISMA Implementation Project Leader Tri-Chair—Civil Agencies

Joint Task Force Working Group

Ron Ross Kevin Dulany Peter Duspiva Kelley Dempsey NIST, JTF Leader DoD Intelligence Community NIST Taylor Roberts Ellen Nadeau Victoria Pillitteri Naomi Lefkovitz OMB NIST NIST NIST Jordan Burris Charles Cutshall Kevin Herms Carol Bales OMB OMB OMB OMB Jeff Marron Kaitlin Boeckl Kirsten Moncada Jon Boyens NIST NIST OMB NIST Dorian Pappas Dominic Cussatt Esten Porter Celia Paulsen CNSS Veterans Affairs The MITRE Corporation NIST Daniel Faigin Christina Sames Julie Snyder Martin Stanley The Aerospace Corporation The MITRE Corporation The MITRE Corporation Homeland Security

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE iv

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

The authors also wish to recognize Matt Barrett, Kathleen Coupe, Jeff Eisensmith, Chris Enloe, Ned Goren, Matthew Halstead, Jody Jacobs, Ralph Jones, Martin Kihiko, Raquel Leone, and the scientists, engineers, and research staff from the Computer Security Division and the Applied Cybersecurity Division for their exceptional contributions in helping to improve the content of the publication. A special note of thanks to Jim Foti and the NIST web team for their outstanding administrative support.

In addition, the authors wish to acknowledge the United States Air Force and the “RMF Next” initiative, facilitated by Air Force CyberWorx, that provided the inspiration for some of the new ideas in this update to the RMF. The working group, led by Lauren Knausenberger, Bill Bryant, and Venice Goodwine, included government and industry representatives Jake Ames, Chris Bailey, James Barnett, Steve Bogue, Wes Chiu, Kurt Danis, Shane Deichman; Joe Erskine, Terence Goodman, Jason Howe, Brandon Howell, Todd Jacobs, Peter Klabe, William Kramer, Bryon Kroger, Kevin LaSalle, Dinh Le, Noam Liran, Sam Miles, Michael Morrison, Raymond Tom Nagley, Wendy Nather, Jasmine Neal, Ryan Perry, Eugene Peterson, Lawrence Rampaul, Jessica Rheinschmidt, Greg Roman, Susanna Scarveles, Justin Schoenthal, Christian Sorenson, Stacy Studstill, Charles Wade, Shawn Whitney, David Wilcox, and Thomas Woodring.

Finally, the authors also gratefully acknowledge the significant contributions from individuals and organizations in both the public and private sectors, nationally and internationally, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication.

HISTORICAL CONTRIBUTIONS TO NIST SPECIAL PUBLICATION 800-37

The authors acknowledge the many individuals who contributed to previous versions of Special Publication 800-37 since its inception in 2005. They include Marshall Abrams, William Barker, Beckie Koonge, Roger Caslow, John Gilligan, Peter Gouldmann, Richard Graubart, John Grimes, Gus Guissanie, Priscilla Guthrie, Jennifer Fabius, Cita Furlani, Richard Hale, Peggy Himes, William Hunteman, Arnold Johnson, Donald Jones, Stuart Katzke, Eustace King, Mark Morrison, Sherrill Nicely, Karen Quigg, George Rogers, Cheryl Roby, Gary Stoneburner, Marianne Swanson, Glenda Turner, and Peter Williams.

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE v

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

Executive Summary

As we push computers to “the edge,” building a complex world of interconnected information systems and devices, security and privacy risks (including supply chain risks) continue to be a large part of the national conversation and topics of great importance. The significant increase in the complexity of the hardware, software, firmware, and systems within the public and private sectors (including the U.S. critical infrastructure) represents a significant increase in attack surface that can be exploited by adversaries. Moreover, adversaries are using the supply chain as an attack vector and effective means of penetrating our systems, compromising the integrity of system elements, and gaining access to critical assets.

The Defense Science Board Report, Resilient Military Systems and the Advanced Cyber Threat [DSB 2013], provides a sobering assessment of the vulnerabilities in the United States Government, the U.S. critical infrastructure, and the systems supporting the mission-essential operations and assets in the public and private sectors.

“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”

There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring that the systems, products, and services are sufficiently trustworthy throughout the system development life cycle (SDLC) and can provide the necessary resilience to support the economic and national security interests of the United States. System modernization, the increased use of automation, and the consolidation, standardization, and optimization of federal systems and networks to strengthen the protection for high value assets [OMB M-19-03], are key objectives for the federal government.

Executive Order (E.O.) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [EO 13800] recognizes the increasing interconnectedness of Federal information systems and requires heads of agencies to ensure appropriate risk management not only for the Federal agency’s enterprise, but also for the Executive Branch as a whole. The E.O. states:

“…The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities…”

“…Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents…”

OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [OMB M-17-25] provides implementation guidance to Federal agencies for E.O. 13800. The memorandum states:

“… An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency’s mission and the delivery of services to the public. Such risks include, but are not limited to, strategic, market, cyber, legal,

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE vi

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

reputational, political, and a broad range of operational risks such as information security, human capital, business continuity, and related risks…”

“… Effective management of cybersecurity risk requires that agencies align information security management processes with strategic, operational, and budgetary planning processes…”

OMB Circular A-130, Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII). Circular A-130 requires agencies to implement the RMF that is described in this guideline and requires agencies to integrate privacy into the RMF process. In establishing requirements for information security programs and privacy programs, the OMB circular emphasizes the need for both programs to collaborate on shared objectives:

“While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements….”

This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, the Executive Order, and the OMB policy memorandum to develop the next- generation Risk Management Framework (RMF) for information systems, organizations, and individuals.

There are seven major objectives for this update:

• To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;

• To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;

• To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes;

• To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;

• To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;

• To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and

• To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.

The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. The primary objectives for institutionalizing organization-level and system-level preparation are:

NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________

PAGE vii

This publication is available free of charge from : https://doi.org/10.6028/N

IST.S P

.800-37r2

• To facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level;

• To facilitate organization-wide identification of common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection;

• To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services;

• To reduce the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk; and

• To identify, prioritize, and focus resources on the organization’s high value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.

By achieving the above objectives, organizations can simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks. Organizations implementing the RMF will be able to:

– Use the tasks and outputs of the Organization-Level and System-Level Prepare step to promote a consistent starting point within organizations to execute the RMF;

– Maximize the use of common controls at the organization level to promote standardized, consistent, and cost-effective security and privacy capability inheritance;

– Maximize the use of shared or cloud-based systems, services, and applications to reduce the number of authorizations needed across the organization;

– Employ organizationally-tailored control baselines to increase the speed of security and privacy plan development and the consistency of security and privacy plan content;

– Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process;

– Maximize the use of automated tools to manage security categorization; control selection, assessment, and monitoring; and the authorization process;

– Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections;

– Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings;

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.