According to the National Institute of Standards and Technology (NIST), its recent release of the final public draft of Revision 1, of NIST SP 800-37 transforms its certification and accreditation process into a six-step risk management framework (RMF).
Further stated by NIST, “…this revised RMF-based process has the following characteristics:
1. Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous characteristics;
2. Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
3. Integrates information security more closely into the enterprise architecture and system development life cycle;
4. Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
5. Establishes responsibility and accountability for security controls depolyed within organizational information systems and inherited by those systems – i.e. common controls; and
6. Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive function.”
We believe this revised RMF-based process offers valuable guidance to the members of every governmental or non-governmental organization’s risk management team, business continuity planning group, or information management or security team member given the responsibility for that organization’s information system.
This guidance document can also be a vital reference to help validate a company’s security life cycle approach document.
Click here to view the final public draft of NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.