The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF). NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy. The focus of the revised Framework, which is open for comment through October 31, 2018, is to integrate privacy and data security. The RMF features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design. One of the key changes to the Framework is the introduction of a new step in the RMF process – “Prepare.” The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revision also seeks comment about a new task to improve the quality of privacy and security risk assessments, “identify[ing] and understanding all stages of the information life cycle.” In addition, the updated…
