NIST SP 800-37 is a key document of the Risk Management Framework (RMF), which is required for Department of Defense information and information technology systems. The publication provides guidance for applying the RMF to information systems and organizations, both federal and non-federal.
Does NIST SP 800-37 Apply to Your Business?
- If you do business with the federal government - NIST SP 800-37 applies to your business.
- If you are a supplier to the federal government, in any capacity, NIST SP 800-37 applies to your business.
In January 2019, the National Institute of Standard and Technology (NIST) published Revision 2 of SP 800-37– Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
Background of NIST 800-37 Cybersecurity Framework
Businesses and organizations are becoming increasingly reliant on products, systems, and services provided by vendors (AKA: external providers) to carry out critical missions and business functions. Outsourcing, while maybe a cost-saving business strategy, does not remove any risk to these businesses. These businesses are responsible and accountable for the risk incurred when using 3rd party component products, systems, and services and then selling those finished goods or services to the federal government. The government defines ‘External Providers’ as providers that an organization has joint ventures, business partnerships, various types of formal agreements (ie: contracts, interagency agreements, lines of business arrangements, licensing agreements), or outsourcing arrangements with.
Supply Chain Risks Within a Cybersecurity Framework
Supply chain risks can be endemic or systemic within a system element, system, organization, or industry. While we’ve all seen movies of double-agents tampering with temperature control systems in ‘secure’ nuclear facilities, the reality is that the supply chain is much more mundane. The supply chain is the manufacturer that makes the explosion-proof lighting that is used in the aerospace/DoD paint spray booths, or they make the hazmat suits used for sewer and water inspections. Or they could be the distributor that moves and sells these products to the federal government.
You may wonder, as a CFO that administers government contracts, if this pertains to you. Well, it does.
You Need Visibility and Understanding of All Your Technology’s Development, Integration, and Deployment
While the singular use of an element or service within a system may present an acceptable risk to a business, its frequent or continual use throughout a system, organization, or industry can raise the risk to an unacceptable level. These risks are often associated with the global and distributed nature of product and service supply chains. This results in a business’ decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated and deployed. This visibility includes the understanding of all the processes, procedures, and practices used to assure the integrity, security, resilience, privacy capabilities, and quality of the acquired products, systems, and services.
“Preparation” and 7 Major Objectives of Revision 2
Revision 2 introduces the additional “Preparation” step, which highlights activities on organizational and system levels. Preparation activities are not new to the process; however, Revision 2 emphasizes them to assist in achieving the objectives of the RMF in the most efficient, consistent, and cost-effective way.
Here's an overview of the 7 major objectives of Revision 2:
1. To provide closer linkage and communication between the risk management processes and activities at the C-suit or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
2. To facilitate a more effective, efficient, and cost-effective execution of the RMF by institutionalizing critical risk management preparatory activities at all risk management level
3. To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes;
4. To better support the privacy protection needs for which privacy programs are responsible by integrating privacy risk management processes into the RMF
5. To promote the development of trustworthy secure software and systems by aligning lifecycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;
6. To address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC by integrating security-related, supply chain risk management (SCRM) concepts into the RMF; and
7. To complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5 by allowing for an organization-generated control selection approach.
Developing and Managing a Compliance and Risk Program
To ensure compliance and to mitigate your business’ cybersecurity risks, you will require an ongoing compliance program. You can do-it-yourself by putting a strategy and resources in place or you can use the experience of Sedara’s Cybersecurity Program and have an entire security team available to help develop and manage your compliance and risk program.
Along with Sedara’s expertise, you have the value of an independent 3rd party to monitor your risk and cybersecurity, which reduces the single point of failure of internal management.
Contact us to learn more about our Cybersecurity and Risk Program Development Services.
NIST SP 800-37 Revision 2 was developed by the Joint Task Force Interagency Working Group, which includes representatives from the Civil, Defense, and Intelligence Communities. Excerpts were included in this blog, to read the complete document in its original form, it is available free of charge at https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final.