The Risk Management Framework for Information Systems and Organizations promotes near real-time risk management through implementation of continuous monitoring processes. It provides senior leaders and executives with the necessary information to make cost-effective risk management decisions about the systems supporting their missions and business functions.
“As we push computers to “the edge,” building a complex world of interconnected information systems and devices, security and privacy risks (including supply chain risks) continue to be a large part of the national conversation and topics of great importance. The significant increase in the complexity of the hardware, software, firmware, and systems within the public and private sectors (including the U.S. critical infrastructure) represents a significant increase in attack surface that can be exploited by adversaries. Moreover, adversaries are using the supply chain as an attack vector and effective means of penetrating our systems, compromising the integrity of system elements, and gaining access to critical assets.” –NIST SP 800-37, R2