NIST Risk Management Framework 2.0 Updates Cyber-Security Policy

The National Institute of Standards and Technology is out with the final version of its Risk Management Framework (RMF) 2.0 update, providing organizations with new detailed insight into how to define and manage risk. RMF 2.0 was officially released on Dec. 20 and follows seven months of consultation and comments. RMF 2.0 is formally titled NIST Special Publication (SP) 800-37 Revision 2 and outlines how federal agencies and those that wish to align with the standard can address security and privacy risk management. Among the key additions in the RMF 2.0 updates is an alignment and integration with the NIST Cybersecurity Framework, which outlines controls and processes that should be used by U.S. government agencies. "RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a single, unified framework," NIST’s Ron Ross, one of the publication’s authors, wrote in a media advisory. "It ensures the term compliance means real cybersecurity and privacy risk management—not just satisfying a static set of controls in a checklist."