Companies in the midst of cybersecurity preparedness have long looked to the National Institute of Standards and Technology (NIST) for guidance. NIST—formally charged with setting the standards for the federal government and its subcontractors—often leads the charge for private industry as well. This is why NIST has long been seen as a leader in setting a common standard in the realm of cybersecurity.

In 2018, NIST broadened its guidance beyond security measures and waded into the realm of privacy risk management.

In particular, contained in Draft NIST Special Publication (SP) 800-37 Revision 2, NIST’s risk management framework (RMF) expanded beyond assessing external threats to addressing a broader concern for the individual’s privacy and protecting personally identifiable information.

The new RMF now places more emphasis than previous versions on the integration of security and privacy into systems throughout the entire development lifecycle. If you and your IT department are in the planning, creating, testing, or deploying phase of an information system’s life cycle, the RMF now takes security and privacy into consideration.

This final draft gives us a much better idea of what the finished RMF will look like. To more effectively manage risk, be sure to take advantage of this resource and assess changes you can make to your processes.


If you have any questions concerning the Risk Management Framework or any other cybersecurity and data privacy questions, please contact a member of the Woods Rogers Cybersecurity Practice.