Spotlight on the Risk Management Framework (RMF)

Objectives:

At the end of this episode, I will be able to:

Understand and apply the recommended guidance for the NIST Risk Management
Framework (RMF) through your daily practice as an information security professional.

External Resources:

Spotlight on the Risk Management Framework (RMF)

Risk Management Framework (RMF) Overview -

The selection and specification of security controls for a system SHOULD BE

accomplished as part of an organization-wide information security program that
involves the management of organizational risk.

THE RISK MANAGEMENT FRAMEWORK PROVIDES A PROCESS THAT INTEGRATES SECURITY & RISK
MANAGEMENT ACTIVITIES INTO THE SYSTEM DEVELOPMENT LIFE CYCLE.

Risk-Based Approach -

The risk-based approach to security control selection and specification

considers effectiveness, efficiency, and constraints due to applicable laws,
directives, Executive Orders, policies, standards, or regulations.

The following activities related to managing organizational risk are paramount

to an effective information security program and can be applied to both new and
egacy systems within the context of the system development life cycle:

1. Prepare Step -

Prepare carries out essential activities at the organization, mission and

business process, and information system levels of the enterprise to help prepare
the organization to manage its security and privacy risks using the Risk
Management Framework.

2. Categorize Step -

Categorize the system and the information processed, stored, and transmitted by
that system based on an impact analysis (*1).

3. Select Step -

Select an initial set of baseline security controls for the system based on the
security categorization; tailoring and supplementing the security control
baseline as needed based on organization assessment of risk and local conditions.

4. Implement Step -

Implement the security controls and document how the controls are deployed
within the system and environment of operation.

5. Assess Step -

Assess the security controls using appropriate procedures to determine the

extent to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements
for the system.

6. Authorize Step -
Authorize system operation based upon a determination of the risk to
organizational operations and assets, individuals, other organizations and the
Nation resulting from the operation of the system and the decision that this
risk is acceptable (*2).

7. Monitor Step -

Monitor and assess selected security controls in the system on an ongoing basis
including assessing security control effectiveness, documenting changes to the
system or environment of operation, conducting security impact analyses of the
associated changes, and reporting the security state of the system to
appropriate organizational officials (*3).

Footnotes:

1. The RMF categorize step, including consideration of legislation, policies,

directives, regulations, standards, and organizational mission/business/operational
requirements, facilitates the identification of security requirements.

2. NIST Special Publication 800-37 Revision 2 provides guidance on authorizing

system to operate.

3. NIST Special Publication 800-37 Revision 2 provides guidance on monitoring

the security controls in the environment of operation, the ongoing risk
determination and acceptance, and the approved system authorization to operated
status.