New NIST Guidance Focuses on Risk ManagementJoint Initiative with Defense Department, Intelligence Community
SP 800-39 provides guidance to federal agencies and their contractors on how to manage information security risk associated with the operation and use of information systems.
Check out Managing Risk: Why It's a Hot Topic,
our podcast interview with NIST's Ron Ross
"For decades, organizations have managed risk at the information system level," NIST said in a statement accompanying the guidance publication. "This information system focus provided a very narrow, stovepiped, perspective that constrained risk-based decisions by senior leaders/executives to the tactical level - devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security resulted in a focus on vulnerability management at the expense of strategic risk management applied across enterprises."
NIST said the new guidance a three-tiered risk management approach that recommends federal agencies focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive function.
"The risk management strategy addresses some of the fundamental issues that organizations face in how information security risk is assessed, responded to, and monitored over time in the context of critical missions and business functions," NIST said. "The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes - making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of an effective, embedded information security architecture that provides a roadmap for allocating safeguards and countermeasures to information systems and the environments in which those systems operate."
NIST said the multi-tiered risk management approach - moving from organization to missions to systems - ensures that strategic considerations drive investment and operational decisions with regard to managing risk to organizational, organizational assets, individuals, other organizations and the nation. "This type of risk-based decision making is especially important with respect to how organizations address advanced persistent threats which have the potential through sophisticated cyberattacks, to degrade or debilitate information systems supporting the critical applications and operations of the federal government."
The Joint Task Force Transformation Initiative, which helped shape the new guidance, is a partnership among the Department of Defense, intelligence community, NIST and the Committee on National Security Systems, a forum for the discussion of policy issues, and is responsible for setting national-level information assurance policies. The partnership, under the direction of the secretaries of defense and commerce and national intelligence director, collaborates on developing a unified information security and risk management framework for the federal government that addresses the challenges of protecting federal information and information systems as well as the critical national information infrastructure.