The NIST RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:
Step 1: Categorize the system and the information that is processed, stored, and transmitted by the system.
Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring, and supplementing as needed.
Step 3: Implement the security controls and document how they are deployed.
Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.
Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.
Step 6: Monitor and assess selected security controls in the system on an ongoing basis and report the security state of the system to appropriate organizational officials.
NIST began adapting and evolving some of its requirements to meet GDPR and privacy considerations in 2018. You can refer to this Crosswalk for examples of the evolution of the standard: https://dataprotectionmapping.z21.web.core.windows.net/#/dashboard
The GDPR aims to better protect data subjects against personal information abuse through reduction of the collection, storage, and distribution data.
Integrating security and privacy into systems development.
Building security and privacy into information systems at the initial design stage is a major concern. The RMF also references NIST systems security engineering guidance at appropriate points, including NIST’s SP 800-160, addressing engineering of secure systems.
Leadership Guidance:
RMF provides guidance on how an organizational leadership to better implement the RMF, and how to communicate their protection plans and risk management strategies to system administrators.
Supply Chains
The RMF also addresses supply chain concerns in areas of counterfeit components, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and other potential harmful activities that can impact an organization’s systems and systems components.
Supporting security and privacy safeguards.
The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5.
Today, while NIST has incorporated much of the GDPR privacy in its published Cybersecurity Framework (CSF) in order to better manage risk. The Risk Management Framework (RMF) now covers NIST Sp 800-53 for security controls related to the federal government aligning it to the CSF. These changes further guide organizations meet GDPR requirements to build integrated security & privacy into systems development and supporting security and privacy. While the NIST isn't an international standard, its framework has evolved to meet international GDPR standards and requirements.