Speaker Presentation (PDF)
This webcast provided a 2-hour overview and deep dive of the recently released NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update to NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for systems, organizations, and individuals by:
- Providing a closer link and communication between the risk management processes and activities at the C-suite and the individuals, processes, and activities at the system and operational level of the organization through the addition of the Prepare Step;
- Institutionalizing foundational risk management preparatory activities at all risk management levels;
- Demonstrating how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- Integrating privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- Promoting the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1;
- Integrating security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- Allowing for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated security and privacy control catalog in NIST SP 800-53 Revision 5.
This webcast featured an introduction by Dr. Ron Ross, NIST Fellow, an overview of the updates in SP 800-37, Revision 2, followed by a deep dive into the Steps and Tasks of the RMF by Kelley Dempsey, Vicky Pillitteri and Naomi Lefkovitz.
Continuing Education Units (CEUs)
Attendees are always welcome to self-report to their authoritative certification bodies to request CEUs for attending this event.