NIST RMF vs Adaptive SME Security

NIST has just released SP 1314 Risk Management Framework (RMF) Small Enterprise Quick Start Guide as a lightweight form/introduction to the full RMF.


... and, despite having said the steps are not necessarily sequential ...




It's interesting to compare and contrast the NIST RMF against the Adaptive SME Security approach we released just last week: 




Relative to the Adaptive approach, RMF places more emphasis on assurance and authorisation, reflecting NIST's classical approach for the sprawling US defence industry, where the substantial risks of infiltration and compromise of supply chains by "forrners" (spies and spooks) implies the need for strong controls and governance.

As a former (reformed!) auditor, I certainly appreciate the value of assurance and management information in general, so maybe the Adaptive approach should offer stronger guidance in that area. However, I'm not entirely convinced of the value of stronger assurance for SMEs, especially for micro-SMEs. For example, the costs relating to, say, penetration testing or '27001 certification audits can be disproportionately high for micro-SMEs compared to larger organisations - not out of the question, just hard to justify as a legitimate investment, given such limited resources.

I'm idly wondering if there is some way to reduce the assurance costs for micro-SMEs without decimating the benefits - some sort of lightweight assurance maybe?  Perhaps self-assessment would work, based on a maturity approach similar to the controls table in the Adaptive guideline. Or even simpler checklists prompting SME management to review, consider and evaluate their situation.

At the same time, RMF uses "system" to mean IT system, I think, rather than the broader interpretation as a collection of organisational resources  and activities associated with achieving objectives (or something along those lines). Perhaps NIST might consider explicitly extending the risk landscape beyond the IT sphere.

Hmmmmmmmmm.