SlideShare a Scribd company logo

NISTSP80037rev2.pptx

Download as PPTX, PDF
Muhammad Mazhar
Muhammad Mazhar

Nist 800- 37

Technology
1 of 21
NIST SP 800-37 (rev 2) NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - SCHEDULE NIST Special Publication 800-37, Revision 2 Risk Management Framework for Security and Privacy ● Initial Public Draft: May 2018 ● Final Public Draft: July 2018 ● Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls ● Final Public Draft: October 2018 ● Final Publication: December 2018 Source: https://csrc.nist.gov/projects/risk-management/schedule
Overview ● Sources of NIST 800-37 (rev 2) ● What is NIST SP 800-37 (rev 2) ● Difference between 800-37 Revision 1 & 2 ● Conclusion: Main thing you should know
Sources of NIST SP 800-37 (rev 2) Knowing the source of 800-7 (rev 2) allows better context and understanding. NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - Source of Changes NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source of Changes: ● President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● Office of Management and Budget Memorandum M-17-25 - next- generation Risk Management Framework (RMF) for systems and organizations ● NIST SP 800-53 Revision 5 Coordination Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB
NIST 800-37 Revision 2 - Executive Order President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity ● Focus on critical infrastructure targets with highest risk ● Securing the Internet and focus on Cybersecurity training Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
NIST 800-37 Revision 2 - OMB M-17-25 Office of Management and Budget Memorandum M-17-25 - next-generation Risk Management Framework (RMF) for systems and organizations ● Memorandum to implement Improvements to Critical Infrastructure Cybersecurity ● Reporting on Agency Risk Management Assessments to DHS ● Action Plan for Implementation of the Framework ● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 NIST SP 800-53 (Revision 5) Coordination ● Security and privacy controls more outcome-based ● Fully integrating the privacy controls ● Separating the control selection process from the actual controls ● Incorporating new, state-of-the-practice controls based on threat intelligence ● Implementation of Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: Framework for Improving Cybersecurity of Critical Infrastructure Source: NIST SP 800-53 Rev 5
What is NIST SP 800-37 (rev 2) & Changes NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
What is NIST 800-37 (Rev 2) Provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security. It is just a process the guides an organization through very thorough security during the life cycle of an important system. NIST 800-37 Revision 2 is an upgrade to this process. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations Puts privacy upfront. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
NIST 800-37 Revision 2 - (4) Objectives There are four major objectives for this update— ● Communication between the risk management processes and activities at the C- suite level of the organization and the processes and activities at the system and operational level of the organization. ● To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level. ● To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case). ● To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
NIST 800-37 Revision 2 - NIST 800-37 Rev 2 Communication between the risk management processes and activities at the C-suite level; To institutionalize critical enterprise-wide risk management preparatory activities - Assign roles - Create Strategy - Identify stakeholders - Identify information life cycle - Placement of system - Create monitoring program
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 The primary objectives for institutionalizing organizational preparation are as follows: ● To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners ● To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection. ● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models. ● To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Privacy Put preparation in the center of the organization.
Conclusion What is the main thing I should know? NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 Main things you should know: ● Check out the sources for context ● NIST 800-37 getting pushed to the forefront ● Cybersecurity Framework (what is it)

Recommended

NISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxNISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptx
Muhammad Mazhar
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources File
guest0947de
 
Risk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsRisk Management for Public Cloud Projects
Risk Management for Public Cloud Projects
Alex Mags
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
MuhammadAbdullah311866
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
robert345678
 

Recommended

NISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxNISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptx
Muhammad Mazhar
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources File
guest0947de
 
Risk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsRisk Management for Public Cloud Projects
Risk Management for Public Cloud Projects
Alex Mags
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
MuhammadAbdullah311866
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
robert345678
 
Nist.sp.800 82r2
Nist.sp.800 82r2Nist.sp.800 82r2
Nist.sp.800 82r2
vimal Kumar Gupta
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
MLG College of Learning, Inc
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
Peter GEELEN ✔
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
stilliegeorgiana
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
Infosec
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
protect724rkeer
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Tripwire
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docx
budbarber38650
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Adam Levithan
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software Design
IRJET Journal
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptx
Muhammad Mazhar
 
Reference_Template.pptx
Reference_Template.pptxReference_Template.pptx
Reference_Template.pptx
Muhammad Mazhar
 

More Related Content

Similar to NISTSP80037rev2.pptx

Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
stilliegeorgiana
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docx
budbarber38650
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 

Similar to NISTSP80037rev2.pptx (20)

Nist.sp.800 82r2
Nist.sp.800 82r2Nist.sp.800 82r2
Nist.sp.800 82r2
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docx
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software Design
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 

More from Muhammad Mazhar

More from Muhammad Mazhar (6)

Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptx
 
Reference_Template.pptx
Reference_Template.pptxReference_Template.pptx
Reference_Template.pptx
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
Central Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptxCentral Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptx
 
CDC (1).pptx
CDC (1).pptxCDC (1).pptx
CDC (1).pptx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

NISTSP80037rev2.pptx

  • 1. NIST SP 800-37 (rev 2) NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 2. NIST 800-37 Revision 2 - SCHEDULE NIST Special Publication 800-37, Revision 2 Risk Management Framework for Security and Privacy ● Initial Public Draft: May 2018 ● Final Public Draft: July 2018 ● Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls ● Final Public Draft: October 2018 ● Final Publication: December 2018 Source: https://csrc.nist.gov/projects/risk-management/schedule
  • 3. Overview ● Sources of NIST 800-37 (rev 2) ● What is NIST SP 800-37 (rev 2) ● Difference between 800-37 Revision 1 & 2 ● Conclusion: Main thing you should know
  • 4. Sources of NIST SP 800-37 (rev 2) Knowing the source of 800-7 (rev 2) allows better context and understanding. NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 5. NIST 800-37 Revision 2 - Source of Changes NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source of Changes: ● President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● Office of Management and Budget Memorandum M-17-25 - next- generation Risk Management Framework (RMF) for systems and organizations ● NIST SP 800-53 Revision 5 Coordination Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB
  • 6. NIST 800-37 Revision 2 - Executive Order President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity ● Focus on critical infrastructure targets with highest risk ● Securing the Internet and focus on Cybersecurity training Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  • 7. NIST 800-37 Revision 2 - OMB M-17-25 Office of Management and Budget Memorandum M-17-25 - next-generation Risk Management Framework (RMF) for systems and organizations ● Memorandum to implement Improvements to Critical Infrastructure Cybersecurity ● Reporting on Agency Risk Management Assessments to DHS ● Action Plan for Implementation of the Framework ● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  • 8. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 NIST SP 800-53 (Revision 5) Coordination ● Security and privacy controls more outcome-based ● Fully integrating the privacy controls ● Separating the control selection process from the actual controls ● Incorporating new, state-of-the-practice controls based on threat intelligence ● Implementation of Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: Framework for Improving Cybersecurity of Critical Infrastructure Source: NIST SP 800-53 Rev 5
  • 9. What is NIST SP 800-37 (rev 2) & Changes NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 10. What is NIST 800-37 (Rev 2) Provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security. It is just a process the guides an organization through very thorough security during the life cycle of an important system. NIST 800-37 Revision 2 is an upgrade to this process. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  • 11. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  • 12. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations Puts privacy upfront. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
  • 13. NIST 800-37 Revision 2 - (4) Objectives There are four major objectives for this update— ● Communication between the risk management processes and activities at the C- suite level of the organization and the processes and activities at the system and operational level of the organization. ● To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level. ● To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case). ● To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
  • 14. NIST 800-37 Revision 2 - NIST 800-37 Rev 2 Communication between the risk management processes and activities at the C-suite level; To institutionalize critical enterprise-wide risk management preparatory activities - Assign roles - Create Strategy - Identify stakeholders - Identify information life cycle - Placement of system - Create monitoring program
  • 15. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 The primary objectives for institutionalizing organizational preparation are as follows: ● To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners ● To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection. ● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models. ● To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
  • 16. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 17. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 18. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 19. NIST 800-37 Revision 2 - Privacy Put preparation in the center of the organization.
  • 20. Conclusion What is the main thing I should know? NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 21. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 Main things you should know: ● Check out the sources for context ● NIST 800-37 getting pushed to the forefront ● Cybersecurity Framework (what is it)

Editor's Notes

  1. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  2. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  3. Revisions happen every few years to keep up with changes in the industry, threat levels, technology, etc.
  4. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.