NIST pushes on next version of Risk Management Framework

The National Institute of Standards and Technology is working hard to get critical privacy controls worked into the next version of its risk management framework by the end of the year, said one of the initiative’s primary managers.

“We’re in a full-court press” to get a variety of critical changes made to NIST’s Risk Management Framework 2.0, NIST Fellow Ron Ross told FCW.

NIST, he said, plans to release a final public draft of RMF 2.0 in September, aiming for final publication in November.

The work to get the RMF completed includes discussions with the White House’s Office of Information and Regulatory Affairs on the privacy additions, Ross said in remarks after a panel at FCW’s Aug. 9 Cybersecurity Summit.

Those discussions with OIRA, he said, are important because the latest version of the RMF will cover a number of critical areas, including supply chain and systems engineering but also privacy.

Privacy, Ross said, is becoming one of the most critical issues in cybersecurity because it cuts across so many other areas. RMF 2.0’s new privacy provisions address how organizations can assess and manage risks to data and systems by focusing on protecting individuals' personally identifiable information.

Ross emphasized that IT security and privacy are complementary in defending against unauthorized system activity and behaviors. The draft update also ties the RMF more closely to the Cybersecurity Framework, he said.

Note: This article was updated on Aug. 10 to correct the projected timeline for RMF 2.0's final publication.