The US National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-18r2 (Revision 2), a guidance update on how organisations develop and maintain key risk management documentation for information systems.
Titled Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems, the revision expands system planning to cover three related documents NIST collectively calls “system plans”: the system security plan, system privacy plan, and a cybersecurity supply chain risk management (C-SCRM) plan.
NIST said the publication aligns essential system plan elements with the steps and tasks of the NIST Risk Management Framework (RMF), aiming to provide a more streamlined approach to creating and maintaining these plans across the system life cycle.
The guidance also places greater emphasis on machine-readable data formats, with a view to supporting automated data collection and real-time dashboard reporting for risk management decisions.
Alongside the updated guidance, NIST said SP 800-18r2 includes supplemental materials such as example plan outlines,…