NIST 800-37 Rev 2 updates for RMF in Public Sector
When I look at the documentation for Public Sector the Risk Management Framework (RMF) used sees to be based on NIST 800-37 Rev1 that had six steps to the Risk Management Framework.
NIST published an update to this RMF in NIST 800037 Rev2 in December of 2018. The revised RMF now looks like this:
As you can see a seventh step of Prepare has been inserted into the RMF. Looking at the guide they define 18 tasks to the Prepare step in the RMF. Seven of these tasks are at the Organization Level:
None of these seem to be addressed in the Public Sector solution as it is today. I am interested in what RSA has planned for these tasks. I might need to make a questionnaire that would target one of the levels in the Organization Hierarchy.
There are also 11 tasks in the Prepare Step that are System Level tasks.
All but two (P-13 and P-15) of these seem to map to fields, sections etc. in the Authorization Package. Once again I was hoping to hear RSA's plan to address these in a future release of Authorization Package. This would avoid having to add configuration changes to Authorization Package that would later have to be worked around in upgrades once RSA addresses them.
- Community Thread
- Forum Thread
- nist 800-37
- public sector
- RSA Archer
- RSA Archer Suite