Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are continuing the series on the National Institute of Standards and Technology, otherwise referred to as NIST. The NIST Cybersecurity Framework, or NIST CSF, was the focus of last week. Today’s NIST focus will be the NIST Risk Management Framework which is the NIST Special Publication 800-37, also known as the NIST RMF for short.

So, like we did with the NIST CSF, we’ll start out describing the publication first. This publication is a bit longer than the CSF; the RMF is 164 pages the first 83 pages dedicated to the main body of content; the remaining pages are appendices supporting the main document. The RMF was a collaborative venture between the civil, defense, and intelligence communities, so quite a few industry experts had their hand in the creation of this publication.

Version 2 was updated back in December of 2018, yet even though that seems to be a lifetime ago in terms of technology, the concepts within the NIST RMF still apply today. Moving through the document to section 1.1 titled “Background” you will read the following:

“The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC); by maintaining situational awareness of the security and privacy posture of those systems on an ongoing basis through continuous monitoring processes; and by providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use and operation of their systems.”

Long sentence, but the point being made here is that the document promotes the input of security early in the development cycle, not as an afterthought, and that the inclusion of that security focus will help leadership make better risk-based decisions on behalf of the organization. So, who cares about risk-based decisions? Well, back in TomCast XIII we discussed risk management and the importance of it. As we spoke about also during the NIST CSF TomCast last week, the whole point of the framework is to better protect and secure the business. During the business impact analysis, the business objectives were identified. The framework should surround and protect those objectives to ensure they are successful, and the business continues to grow and thrive.

Now, the NIST RMF does, indeed, have a target audience, and that is defined in section 1.3. That audience is:

“…individuals associated with the design, development, implementation, assessment, operation, maintenance, and disposition of information systems.”

Hmmm, that is a pretty broad group, and it looks like if an organization utilizes information systems in just about any context the NIST RMF would be a benefit. The document benefits all categories of organizations that utilize information systems. From the brand-new technology startup, to the seasoned MSSP, to any cloud service provider out there, the NIST RMF can (and does in many circumstances) benefit the target organization.

Chapter two prepares the reader for the RMF process, and the steps required to get the framework in place. The seven steps that make up the framework are clearly outlined, and the document even tackles supply chain management! Even back in 2018 experts noticed that the supply chain needed security and a risk management plan.

Moving into chapter 3, the document now provides the execution plan for getting the framework in place. The chapter goes over roles and responsibilities of personnel involved, it goes over the risk management strategy, how to perform the risk assessment, how to establish the baseline, and more. Risk-focused organizations have some of the best cybersecurity postures as they know what they need to address in order for the business to continue progression; they recognize the organization risk early and are able to manage it properly.

Open up your preferred browser, engage your preferred search engine, and type in NIST RMF. Download the free PDF document and start your journey towards a more risk-based security strategy. Take the time and do it right the first time.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!