Cyber Security Federal Compliance. Cybersecurity National Institute of Standards and Technology [Video]

Cyber Security Federal Compliance. Cybersecurity National Institute of Standards and Technology. Organizations must exercise due diligence in managing information security and privacy risk. This
is accomplished, in part, by establishing a comprehensive risk management program that uses
the flexibility inherent in NIST publications to categorize systems, select and implement security
and privacy controls that meet mission and business needs, assess the effectiveness of the
controls, authorize the systems for operation, and continuously monitor the systems. Exercising
due diligence and implementing robust and comprehensive information security and privacy risk
management programs can facilitate compliance with applicable laws, regulations, executive
orders, and governmentwide policies. Risk management frameworks and risk management
processes are essential in developing, implementing, and maintaining the protection measures
necessary to address stakeholder needs and the current threats to organizational operations
and assets, individuals, other organizations, and the Nation. Employing effective risk-based
processes, procedures, methods, and technologies ensures that information systems and
organizations have the necessary trustworthiness and resiliency to support essential mission and
business functions, the U.S. critical infrastructure, and continuity of government. Revision 5 of this foundational NIST publication represents a multi-year effort to develop the
next generation of security and privacy controls that will be needed to accomplish the above
objectives. It includes changes to make the controls more usable by diverse consumer groups
(e.g., enterprises conducting mission and business functions; engineering organizations
developing information systems, IoT devices, and systems-of-systems; and industry partners
building system components, products, and services). The most significant changes to this
publication include:
• Making the controls more outcome-based by removing the entity responsible for satisfying
the control (i.e., information system, organization) from the control statement;
• Integrating information security and privacy controls into a seamless, consolidated control
catalog for information systems and organizations;
• Establishing a new supply chain risk management control family;
• Separating control selection processes from the controls, thereby allowing the controls to be
used by different communities of interest, including systems engineers, security architects,
software developers, enterprise architects, systems security and privacy engineers, and
mission or business owners;