A Synopsis of the NIST Risk Management Framework

Applying The NIST Risk Management FrameworkThere are a number of approaches to managing risk. I chose to focus on this approach because it's free to use and the supporting documentation is readily available. Managing risk is a complex process and requires the input from the whole organization. There are three tiers associated with the respective portions of the organization:

• Tier 1 - Organizational Level – At this level, risk is assessed from an organizational perspective with mitigation strategies such as governance and holistic strategies involving risk tolerance, monitoring and oversight.
• Tier 2 – Mission/Business Process – Risk is assessed from the processes associated with the mission/business and is guided by the decision from Tier 1.
• Tier 3 - Information System – The risk associated with information systems is evaluated and guided by the decisions from Tiers 1 & 2. The selection of security controls leverages those outlined in NIST SP 800-53.

The risk management process begins early in the System Development Life Cycle (SDLC). A majority of the work of the RMF is done at Tier 3. BoundariesBoundaries are key in developing the scope of information systems and include people, processes and technology. The commonality of components can change over time, so continuous monitoring should occur to ensure the scope of the information system is accurate. At times, the boundaries may become unclear due to the complexity of the system.  One strategy is to break the information system into sub systems for easier manageability. Security ControlsThere are three type so security controls that can be used within an organization:

1. System-Specific Controls – controls that are focused on a particular system.
2. Common Controls – provide cost effective and efficient protection for multiple systems.
3. Hybrid Controls – include characteristics of both common and system specific controls.

 The RMF ProcessRMF Step 1 – Categorization – Information must be categorized for information systems and how data is processed, transmitted and stored. Additionally, the impact of this data on the organization must be considered.

1. RMF Step 2 – Selection – Based on security categorizations, a baseline of minimum security controls will be selected to protect information systems as appropriate.
2. RMF Step 3 – Implementation – The selected security controls are implemented as identified from the selection process. In addition, security control documentation occurs to illustrate the implementation of system-specific, common, and hybrid controls.
3. RMF Step 4 – Assessment – In order to ensure that the selected security controls are meeting their intended requirements, approved assessment procedures are utilized to confirm they are configured properly, functioning as expected, and are performing to meet the necessary requirements.
4. RMF Step 5 – Authorization – Based on the decision that acceptable risk to the organization, assets, individuals, and other organizations has been achieved, the operation of the information system will be authorized.
5. RMF Step 6 - Monitor – The ongoing monitoring of security controls for the information systems will occur regularly with adjustments made as necessary.

 Please keep in mind that this is a very simplistic explanation of the RMF process. This article is based on NIST SP 800-37R1. For a more detailed explanation of the RMF, please reference the associated NIST publication.

---

National Institute of Standards and Technology (February, 2010), Guide for Applying the Risk Management Framework to Federal Information Systems, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf