The U.S. National Institutes of Standards and Technology (NIST) is taking public comments on its major risk management publication (SP 800-37) for information systems. This document provides guidelines for applying the NIST Risk Management Framework (RMF) to information systems and organizations.
The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle. Use of the NIST RMF is mandated for federal information systems by the Federal Information Security Management Act (FISMA).
Comments are due by June 22nd.