New RMF Tactics for 2019

Risk Management Framework (RMF) is an important part of maintaining the security of your systems. It’s how IT professionals keep crucial websites safe and private for their clients, employees, and web users.

Keeping up with the pace of security breaches these days can be a challenge. But, with continuing education in RMF tactics, you can avoid the kind of problems that compromise website security.

Recently, the National Institute of Standards and Technology (NIST) released an update to its framework that is aimed at increasing privacy, improving security, and aiding long-term planning. You can read the document here, which we’ve summarized for you below:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

RMF 2019 Goals

Risk management framework is about dealing with security and privacy issues in an efficient and effective manner. This is a difficult task because of the rate of change in the cyber world. That’s why it’s so important to keep up with the changes issued by the NIST when working in IT.

For the government, this is worrying because it increases our vulnerability to attack across the economy. For you, what’s at risk is your business’s information, your customers’ sensitive information, and the smooth functioning of your company. It’s in everyone’s interest, both private and public entities, to ensure that your operations are secure and private. The goal of the RMF is to provide solutions to potential problems before they come up.

An important goal of RMF is to bring security and privacy protocols into the core of a business or institution. It needs to be a seamless part of the system development life cycle in order to provide maximum protection against security risks. As the NIST says, the RMF  “provides a repeatable process designed to promote the protection of information and information systems commensurate with risk.”

The 2019 RMF protocols are more focused than ever on bringing risk management into every part of an organization. The NIST recommends that risk management be a focus at the institutional level.

What’s New in 2019?

1. Integrated Protection

One of the key thrusts of the new RMF tactics is to integrate protection into wider systems, whether at a business, organization, or government entity.

Security used to be an additional step added to IT processes. It was adjacent to IT rather than being central to it. Today, this secondary treatment of security is no longer an option. Because of the amount of sensitive information involved in tech, security has moved to the center of the IT world.

The 2019 RMF update teaches tactics for enhancing the role of security in the workplace. According to the report, “There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring that the systems, products, and services are sufficiently trustworthy throughout the system development life cycle (SDLC).”

So, rather than thinking of security as an afterthought, IT professionals need to think about privacy and security as essential at all levels of their infrastructure. Some of the specific suggestions mentioned in the report include:

  • “[Institutionalizing] critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF.”
  • Creating a “unified and collaborative approach to bring security and privacy evidence together in a single authorization package.”
  • “Ensuring greater visibility into the implementation of security and privacy controls which will promote more informed, risk-based authorization decisions.”

2. The Seven Steps

The RMF has previously listed its steps for preparing a risk management framework. These were:

  • Categorize
  • Select
  • Implement
  • Access
  • Authorize
  • Monitor

One of the most important changes to RMF tactics in the 2019 update is the addition of a new seventh step:

  • PREPARE

The focus on preparation is crucial to improving the security and privacy of your business or institution. Rather than simply reacting to threats or problems, the addition of the preparation step puts the responsibility on IT professionals to anticipate and head off trouble before it strikes.

A preventative approach to IT is essential in these days of breeches, hacks, and information leaks. Most companies are already including risk management into their protocols. With the addition of the prepare step, the new RMF framework hopes to integrate those activities more fully into organization-wide systems.

Much of the specific instruction included in the prepare section is about assigning the appropriate roles and tasks within your organization. Having the appropriate personnel prepared to authorize certain processes or handle emergencies translates into better functioning in the event that a problem arises. The report provides a lengthy, step-by-step plan for implementing the changes.

Overview

The RMF is designed to change and adapt throughout time. For that reason, it is crucial that IT professionals and businesses stay up to date on the latest protocols.

The top trends in RMF tactics in 2019 can be summed up with one keyword: integration. Not only does the NIST want to prepare organizations to meet risks before they arise, but they also want to make sure that every aspect of an organization is ready to face any problems.

As the report says, the goal of RMF is to “promote a comprehensive approach to managing security and privacy risk.” By integrating security and privacy protocols at every level of an organization, you can better prevent problems and effectively handle any issues when they do come up.