NIST: SP 800–39 and SP 800–37 r2
The National Institute of Standards and Technology (NIST) provides guidance on Cyber Risk Management (CRM) to the federal government through SP 800–39, but the private sector can also benefit from this publication since both share information systems. These systems encompass a wide range of devices that are vulnerable to attacks, emphasizing the importance of risk management strategies. The framework offered in NIST SP 800–39, which includes risk framing, assessment, response, and monitoring, is general enough to be adapted by organizations in both the public and private sectors. The Joint Task Force Transformation Initiative (2011) suggests that collaboration between public and private entities can improve information security while avoiding duplicative efforts and ensuring complementarity of standards and guidelines.
NIST SP 800–37, r2 offers a comprehensive approach to risk management, including seven steps in the Risk Management Framework (RMF). The prepare stage is the first step, consisting of seven tasks annotated by the letter ‘p’ and a dash followed by the number. This stage includes tasks such as identifying personnel and developing strategies and risk assessments that are essential for tailoring controls to meet the organization’s baselines and prioritization levels. The continuous monitoring of the risk management strategy is also critical.
However, NIST SP 800–37 has some limitations, such as authorization boundaries that need continuous updating to account for high-risk systems that may have been missed. Additionally, there is a lack of RMF/Security Assessment and Authorization (SA&A) maturity model, which would provide metrics of effectiveness.
Despite the limitations, NIST SP 800–37 has undergone revisions that make it more inclusive of artificial intelligence (AI) systems. The expansion of RMF Task P-13 to include stages such as creation, processing, dissemination, use, storage, and disposition covers neural networks and machine models used in AI. Although the revisions do not directly call out AI systems, the framework’s general definition of a system makes it applicable to them. These systems are used in many day-to-day security protocols, such as biometric readings and car plate registration readers.
In conclusion, NIST SP 800–39 offers a risk management framework that is general enough to be applicable to both the public and private sectors. NIST SP 800–37, r2 provides a comprehensive approach to risk management, but it has some limitations that need addressing. The revisions made to include AI systems make the framework more inclusive, but the lack of direct references to AI systems still leaves room for improvement.
Resources:
Joint Task Force Transformation Initiative (2011). NIST: Managing Information Security Risk: Organization, Mission, and Information System View. Retrieved on January 27, 2022 from https://csrc.nist.gov/publications/detail/sp/800-39/final
NIST Joint Task Force (2018). Risk Management Framework for Information Systems and Organizations: A system life cycle approach for security and privacy, NIST Risk Management Framework: NIST SP 800–37. Retrieved January 27, 2022 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Chandler, D. (2022). Summary Thoughts on NIST Special Publication (SP) 800–37 Revision 2 (draft). Retrieved January 27, 2022, from https://criterion-sys.com/summary-thoughts-on-nist-special-publication-sp-800-37-revision-2-draft/.
Disclaimer
The ensuing text was drafted in compliance with the policies and regulations established by Georgetown University for its students and coursework, and is presently being made available on Medium.com with the explicit authorization of the author.
