Moving to a Risk-Based Organization – NIST 800-37 Rev 1

The new NIST 800-37 Rev 1 brings federal civilian agencies up to date with respect applying risk-based approaches to the systems development lifecycle.  Prior to this release, the process was mostly a checkbox, proforma exercise (even though risk was a core component) that looked at a system from a point in time. A point in time that was outdated as quickly as the ink dried on the C&A documents. 800-37 Rev 1 creates a risk management framework (RMF) that follows much of what has been defined in COSO, ISO 27005, the ISF Information Risk Analysis Methodology (IRAM), OCTAVE, the newly released ISO 31000 on Enterprise Risk Management and other frameworks. Getting organizations to move to this different mindset, one that focuses on a constant dashboard view of the system could be extremely difficult for some and an exercise in continuous process improvement towards operational maturity for others.

According to NIST, the most significant change in the final draft is the full transformation of the certification and accreditation process into the six-step risk management framework.  NIST indicates that:

(i)         building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls;

(ii)        maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes;

(iii)       providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems.

The revised risk management framework (RMF) based process has the following characteristics:

•           Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;

•           Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;

•           Integrates information security more closely into the enterprise architecture and system development life cycle;

•           Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;

•           Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems - for instance, common controls; and

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies