NIST adds privacy recommendations to its Risk Management Framework
NIST adds privacy recommendations to its Risk Management Framework

The National Institute of Standards and Technology has updated its Risk Management Framework (RMF) to cover privacy issues with a focus on helping organizations better understand and protect their member's personally identifiable information (PII).

The update, which is included in Draft NIST Special Publication (SP) 800-37 Revision 2, includes information on how companies and other organizations can better understand the risks associated with using and storing PII. This differs slightly from what did in the past when it primarily focused on protecting groups from external cybersecurity threats and is designed to bring together the best of the RMF with the NIST Cybersecurity Framework.

“Until now, federal agencies had been using the RMF and CSF separately,” said NIST's Ron Ross, one of the publication's authors said in statement. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you're using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

The RMF provides organizations with a structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST's SP 800-53, Revision 5.

In addition to adding privacy considerations the revision it covers building security into systems during the design stage, guidance on how better communicate protection plans and strategies to senior leadership and to foster a better understanding of supply chain issues such as the inclusion of malicious software during the manufacturing process.