NIST SP 800-37 is a key document of the Risk Management Framework (RMF), which is required for Department of Defense information and information technology systems. The publication provides guidance for applying the RMF to information systems and organizations, both federal and non-federal.
Does NIST SP 800-37 Apply to Your Business?
- If you do business with the federal government – NIST SP 800-37 applies to your business.
- If you are a supplier to the federal government, in any capacity, NIST SP 800-37 applies to your business.
In January 2019, the National Institute of Standard and Technology (NIST) published Revision 2 of SP 800-37– Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
Background of NIST 800-37 Cybersecurity Framework
Businesses and organizations are becoming increasingly reliant on products, systems, and services provided by vendors (AKA: external providers) to carry out critical missions and business functions.
Outsourcing, while may be a cost-saving business strategy, does not remove any risk to these businesses. These businesses are responsible and accountable for the risk incurred when using 3rd party component products, systems, and services and then selling those finished goods or services to the federal government. The government defines ‘External Providers’ as providers that an organization has joint ventures, business partnerships, various types of formal agreements (ie: contracts, interagency agreements, lines of business arrangements, licensing agreements), or outsourcing arrangements.
Supply Chain Risks Within a Cybersecurity Framework
Supply chain risks can be endemic or systemic. While we’ve all seen movies of double-agents tampering with temperature control systems in ‘secure’ nuclear facilities, the reality is that the supply chain is much more mundane. It’s the manufacturer that makes the hazmat suits used for sewer and water inspections. Or they could be the distributor that moves and sells these products to the federal government.
You may wonder, as a CFO that administers government contracts, if this pertains to you.
Well, it does.
Your Technology’s Development, Integration, and Deployment
While the singular use of a service may present an acceptable risk to a business, its frequent use can raise the risk. These risks are associated with the global and distributed nature of supply chains. This results in a business’ decreased understanding of how the technology that they acquire is developed, integrated, and deployed. This includes the understanding of all the processes, procedures, and practices used to assure the integrity, security, resilience, privacy capabilities, and quality of the acquired products, systems, and services.
“Preparation” and 7 Major Objectives of NIST SP 800-37 Revision 2
Revision 2 introduces the additional “Preparation” step, which highlights activities on organizational and system levels. Preparation activities are not new to the process; however, Revision 2 emphasizes them to assist in achieving the objectives of the RMF in the most efficient, consistent, and cost-effective way.
7 Major Objectives of Revision 2:
1. To provide closer linkage and communication between the risk management processes and activities at the C-suit or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
2. To facilitate a more effective, efficient, and cost-effective execution of the RMF by institutionalizing critical risk management preparatory activities at all risk management level
3. To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can align with the RMF and be implemented using established NIST risk management processes;
4. To better support the privacy protection needs for which privacy programs are responsible by integrating privacy risk management processes into the RMF
5. To promote the development of trustworthy secure software and systems by aligning lifecycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;
6. To address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC by integrating security-related, supply chain risk management (SCRM) concepts into the RMF; and
7. To complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5 by allowing for an organization-generated control selection approach.
Developing and Managing a Compliance and Risk Program
To ensure compliance and to mitigate your business’ cybersecurity risks, you will require an ongoing compliance program. You can do-it-yourself by putting a strategy and resources in place or you can use the experience of Sedara’s Cybersecurity Program and have an entire security team available to help develop and manage your compliance and risk program.
Along with Sedara’s expertise, you have the value of an independent 3rd party to monitor your risk and cybersecurity, which reduces the single point of failure of internal management.
NIST SP 800-37 Revision 2 was developed by the Joint Task Force Interagency Working Group, which includes representatives from the Civil, Defense, and Intelligence Communities. Excerpts were included in this blog, to read the complete document in its original form, it is available free of charge at https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final.
How Sedara Can Help You with NIST SP 800-37 Revision 2
Sedara is your cybersecurity sidekick when it comes to NIST. Contact us to learn more about our Cybersecurity and Risk Program Development Services.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.