The updated framework does a great job emphasizing organizational risk management, but the first step (literally) is being prepared.
I have always found the updates to federal risk management and compliance processes interesting. As new versions are introduced, I scan through the instruction looking for the major as well as the subtle differences, trying to understand the intent of the update. What problems are we attempting to solve this time around? How prepared is my component, command, or organization to initiate this change?
Other than standardizing federal agencies on the NIST Risk Management Framework (RMF) in 2010, I do not know that the intent of information assurance frameworks has changed that much over the years. In my opinion, the fundamental intent of DITSCAP, DIACAP and RMF has been to help organizations define, understand, and manage risks to information systems within the context of the organization and/or mission impact rather than to grade them on how well they can manufacture compliance in a “package.”
Another attempt to communicate the need for organizational risk management was released this past December in the much-anticipated update to the NIST SP 800-37, aka RMF 2.0. There are several noteworthy additions, such as incorporating the management of privacy and supply chain risk. Other significant updates include the much-needed “Prepare” step and recurring references to NIST’s complementary Framework for Improving Critical Infrastructure Cybersecurity, i.e., the NIST Cybersecurity Framework.
There are seven major objectives in the updated SP 800-37; I am pleased to report that the first three listed in the executive summary emphasize the management of organizational risk. There is no mention of ensuring that scans are submitted within the required periodicity (which of course is important but not a strategic focal point). No examples of an acceptable boundary diagram or definition of a representative sample. Instead the objectives use phrases such as, “closer linkage…at the C-suite or governance level of the organization,” and my favorite, “institutionalizing critical risk management.”
The Prepare step(s) provide tactical instruction on establishing and managing risk at the organization and system level, ideally as a tool for CISOs and CIOs to engage leadership and mission owners. While I hope I am wrong, I am not sure that most federal agencies are “Prepared” to have this dialogue with leadership. Likewise I am not sure that mission owners want to engage in what has been traditionally perceived as a solely IT issue.
Getting “Prepared” with the Cybersecurity Framework
This is where the NIST Cybersecurity Framework (CSF) comes into play. The CSF is far more than a control mapping to the core functions (Identify, Protect, Detect, Respond and Recover). The CSF is a guide to enhancing your cybersecurity program and incorporating it into your organization’s risk management processes. The CSF is often acknowledged as a valuable tool for establishing a common language to discuss risk with organizational stakeholders. What I find most refreshing is the honesty and transparency the framework supports, something I have rarely seen within federal A&A processes.
Unfortunately, the reality for many organizations is they are not “Prepared” for this level of engagement. Maybe you are new talent entering the government and have a lot of cleaning up to do to reach that point. Maybe you were handed the role of ISSM as an additional duty and have spent the last five years with no budget, authority, or exposure to leadership. In any case, it is good news that, through the RMF 2.0 and CSF, NIST has done an incredible job in balancing the flexibility and structure needed to implement common sense risk management. We can only hope that the same characteristics are visible in the updated agency assessment and authorization implementation guidance that is soon to follow. I’ll cover that and other facets of RMF 2.0, the CSF, and how they work together in future posts.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.