Implementing the NIST RMF: Step Zero
The NIST RMF is increasingly being seen as the gold standard for industries with critical or highly sensitive data needs – such as healthcare. It is an effective security planning and management framework that enables a comprehensive picture of organizational risk. This helps organizations build a solid risk management strategy, understand the areas that matter most to their organizational security and enable them to properly perform their essential business functions.
Yet, healthcare organizations are spending increasing amounts of money on security and remain vulnerable. Why is that? Tim Denis, Chief Product Officer at Intraprise Health, says that it is because healthcare organizations are not playing from the same security “playbook”. “Just like a football team needs to play from the same playbook to ensure they can collectively run plays efficiently and effectively, healthcare organizations must adopt a similar security ‘playbook’ to effectively manage risks and cybersecurity threats,” he says. The NIST Risk Management Framework (RMF) is the security and risk management playbook that the federal government has established. An increasing number of organizations are adopting the framework, and all indications point to this becoming the de-facto security and risk management standard. So how can you get started?
The NIST RMF recently added a step zero to the framework process, called the prepare step. The purpose of this step is to normalize organizational roles, responsibilities, risk posture and system definitions currently being managed, and to carry out essential risk management tasks at the organization to establish context and help prepare the organization to manage its security and privacy risks. The tasks laid out in the prepare step are intended to support all subsequent steps and tasks included in the RMF. According to NIST, the main goals of the Prepare Step are to:
- Facilitate better communication surrounding security and risk between leadership, business process levels and system owners.
- Identify common security controls and baselines in place at the organization.
- Identify where security resources will go according to risk appetite, prioritizing high-value assets and high-impact systems requiring increased levels of protection.
The Prepare step is broken up into tasks that help to achieve these and other outcomes. Tasks are separated into organizational-level tasks and system-level tasks to help clarify appropriate roles and responsibilities. Each task in the prepare step identifies the primary role of those responsible for completing the task and provides additional guidance on supporting roles that can oversee and support task implementation. Due to the preparatory nature of step zero, NIST has simplified the task implementation process as much as possible.
The Prepare step allows security teams and executives to discover what the adoption of the NIST RMF would look like at their organization, and what some of the benefits of adoption might be. As organizations across the country are looking to NIST as the gold standard of security and risk management, there is no better time than now to get started.