NIST 800 37 Revision 2 – RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Download the presentation in this Video & Learn more here:

This is an overview of NIST 800-37 Revision 2. I discuss the changes, the sources and Cybersecurity Framework.

NIST Special Publication 800-37, Revision 2
Risk Management Framework for Security and Privacy
Initial Public Draft: May 2018
Final Public Draft: July 2018
Final Publication: October 2018

NIST 37-800 Rev 2:

Executive Order:


Cybersecurity Framework:

NIST SP 800-53 (Revision 5):

Source of Changes:
President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Office of Management and Budget Memorandum M-17-25 – next-generation Risk Management Framework (RMF) for systems and organizations
NIST SP 800-53 Revision 5 Coordination

"Spies Among Us", Ira Winkler (Rob Slade book review)

The following is a review by Robert Slade.  Robert Slade is a data communications and security specialist and author of Robert Slade's Guide to Computer Viruses: How to Avoid Them, How to Get Rid of Them, and How to Get Help

REVIEW: “Spies Among Us”, Ira Winkler  

by Rob Slade

“Spies Among Us”, Ira Winkler 2005, 0-7645-8468-5, U$27.50/C$38.99/UK#16.99 Ira Winkler
5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8  2005 0-7645-8468-5
John Wiley & Sons, Inc.
416-236-4433 fax: 416-236-4448
Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation) 326 p.  “Spies Among Us”

In the introduction, Winkler admits that the title is slightly
misleading: most surveillance is not done by international spies, but by common or garden thieves, competitors, and so forth.  The point that he is trying to make is that non-terrorists can hurt you, although he raises the issue with illustrations that are not completely clear.

Part one deals with espionage concepts.  Chapter one reviews spying terminology, but makes points about the process by explaining the jargon and distinctions.  Risk analysis is introduced in chapter two, but the calculations used may not be clear to all readers.  An attempt to assess the value of information is made in chapter three.  Chapter
four outlines threats (entities that might harm you) and five covers vulnerabilities–the way your own operations can make you subject to attack.

Part two describes some case studies of spying.  The content is interesting, although the value is rather concentrated in the short “vulnerabilities exploited” section at the end of each chapter.  I must say that I've read all manner of similar stories and case studies in various security books, and Winkler's are more interesting than most.

Part three deals with protection.  Chapter twelve lists a number of countermeasures.  These are described in a level of detail that is appropriate for non-specialists (in security), although the content related to technical safety might be a bit thin.  How to plan and implement an overall security program is outlined in chapter thirteen, which includes a very interesting section on how the Department of Homeland Security has taught us valuable lessons about how *not* to execute safeguards.

While not structured in a formal manner that would make for easier reference, this book nonetheless has some excellent content.  Like Schneier's “Beyond Fear” (cf. BKBYNDFR.RVW ), it is easy enough, and engaging enough, for those outside of the security profession to read.
Busy managers may find the work a bit wordy and disorganized, but it makes useful points, and has constructive suggestions.  Home users and amateurs will find the style most suited to them, although the recommended controls are aimed at businesses.  Security professionals will not (or should not) find anything new here, but may appreciate the “war stories” and explanations that can be employed in security awareness training.

copyright Robert M. Slade, 2005   BKSPAMUS.RVW   20050531         

Slade's book reviews —

Slade's Bio —