NIST Releases Risk Management Framework Update, RMF 2.0

The final version of the Risk Management Framework (RMF 2.0) has been released by the National Institute of Standards and Technology (NIST).

NIST is a non-regulatory agency of the United States Department of Commerce. The primary goal of the organisation, which is a working physical science laboratory, is to promote innovation and industrial competitiveness in the United States. It developed the RMF in order to improve the security of information systems in the United States.

The updated version of the federal government policy, RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management.

The previous version of policy broke down the process of applying RMF into six steps:

1) Categorise information system

2) Select security controls

3) Implement security controls

4) Assess security controls

5) Authorise information system

6) Monitor security controls

RMF 2.0 introduces a seventh step; “Prepare”. The Prepare step is intended to come first, displacing the “Categorise” step. Prepare requires the organisation in question to assign responsibilities to different individuals within the organisation, enable enterprise-wide privacy and security controls, eliminate unnecessary functions, publish common controls, prioritise resources for high value assets, and establish communication channels to ensure effective communication between the C-Suite and employees.

According to NIST officials, the step was introduced to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”

In addition to introducing an extra step to the process, RMF 2.0 requires maximum use of automation in executing the framework rules. This is intended to privacy and security controls to be continuously assessed and monitored. RMF 2.0 also requires the preparation of authorisation packages for timely decision making.

NIST identified the seven primary objectives of RMF 2.0. Using these objectives as guidelines, it is hoped that the execution of the RMF will be made more facile for organisations in the US. This will allow businesses to employ innovative approaches for risk management, and will increase the level of automation for risk management-related tasks.

The seven objectives are:

  • To achieve closer linkage and communication between the risk management processes and activities at the C-suite and the individuals, processes, and activities at the system and operational level of the organization.
  • To institutionalize critical risk management preparatory activities at all risk management levels.
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using current NIST risk management processes.
  • To integrate privacy risk management processes into the RMF
  • To promote the development of secure software and systems through the alignment of life cycle-based systems engineering processes.
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC.
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the NIST consolidated control catalog (SP 800-53, Revision 5).

The Office of Management and Budget (OMB) requires all states and agencies to follow RMF 2.0 to manage security and privacy risks. RMF 2.0 allows them to manage privacy and security risk in a single, unified framework.

According to NIST fellow, Ron Ross, “[RMF 2.0] ensures the term compliance means real cybersecurity and privacy risk management – not just satisfying a static set of controls in a checklist.”

About Christine Garcia 1312 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at