A Synopsis of the NIST Risk Management Framework
- Tier 1 - Organizational Level – At this level, risk is assessed from an organizational perspective with mitigation strategies such as governance and holistic strategies involving risk tolerance, monitoring and oversight.
- Tier 2 – Mission/Business Process – Risk is assessed from the processes associated with the mission/business and is guided by the decision from Tier 1.
- Tier 3 - Information System – The risk associated with information systems is evaluated and guided by the decisions from Tiers 1 & 2. The selection of security controls leverages those outlined in NIST SP 800-53.
- System-Specific Controls – controls that are focused on a particular system.
- Common Controls – provide cost effective and efficient protection for multiple systems.
- Hybrid Controls – include characteristics of both common and system specific controls.
- RMF Step 2 – Selection – Based on security categorizations, a baseline of minimum security controls will be selected to protect information systems as appropriate.
- RMF Step 3 – Implementation – The selected security controls are implemented as identified from the selection process. In addition, security control documentation occurs to illustrate the implementation of system-specific, common, and hybrid controls.
- RMF Step 4 – Assessment – In order to ensure that the selected security controls are meeting their intended requirements, approved assessment procedures are utilized to confirm they are configured properly, functioning as expected, and are performing to meet the necessary requirements.
- RMF Step 5 – Authorization – Based on the decision that acceptable risk to the organization, assets, individuals, and other organizations has been achieved, the operation of the information system will be authorized.
- RMF Step 6 - Monitor – The ongoing monitoring of security controls for the information systems will occur regularly with adjustments made as necessary.
National Institute of Standards and Technology (February, 2010), Guide for Applying the Risk Management Framework to Federal Information Systems, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf