data security, security, data

The NIST Risk Management Framework

August 15, 2024

The NIST Risk Management Framework (NIST-RMF) is a structured process that integrates information security and risk management activities into the system development life cycle. It is the operational counterpart to the Cybersecurity Framework (CSF): the CSF tells you what good looks like, and the RMF tells you how to get there on a specific system.

The framework helps an organization prioritize its security requirements, allocate resources to security and privacy needs, and develop and disseminate the policies and procedures that back those decisions. If you own operational risk for any system, the RMF gives you a defensible way to make and document the decisions you are going to make anyway.

The four risk management activities

Risk management at the organization level breaks into four ongoing activities:

Frame risk. Establish a risk context by describing the environment in which risk-based decisions are made, and produce a risk management strategy.

Assess risk. Identify threat sources and vulnerabilities, the potential mission and business impact, and the likelihood and uncertainty of occurrence.

Respond to risk. Provide a consistent organization-wide response by developing alternative courses of action, choosing one, and implementing it.

Monitor risk. Verify the planned response measures were implemented, determine whether they remain effective, and track how risk changes over time.

Getting leadership support

A successful organization-wide risk management program needs sponsorship from the top. The argument that lands with executives is not compliance. It is continuity: the goal of NIST-RMF is to let the organization run its day-to-day operations and accomplish its mission without interruption. Frame the RMF as a way to keep the business running, and the support follows.

Why use the RMF

The Risk Management Framework gives an organization:

  1. A structured but flexible process for managing risk related to its operations.
  2. Guidance for determining the right level of risk mitigation to protect the systems and infrastructure supporting mission and business processes.
  3. A repeatable methodology that balances business goals and organizational priorities with security requirements and policy.
  4. A continuous monitoring loop that improves the security posture over time.
  5. A technology-neutral approach that applies to any information system without modification.

The seven steps

The NIST-RMF has seven steps: one preparatory step plus six main steps. The steps are listed in order, but everything after Prepare can be carried out in a non-sequential order. Organizations have flexibility in how each step is implemented, as long as the applicable requirements are met and the risk is effectively managed.

All seven steps are essential.

1. Prepare

Carry out the essential activities to get the organization ready to manage its security and privacy risks using the NIST-RMF.

1.1 Establish risk management roles. Identify and assign individuals to specific roles in security and privacy risk management.

1.2 Establish a risk management strategy. Document the organization’s risk management strategy, including a determination of risk tolerance.

1.3 Risk assessment, organization. Assess organization-wide security and privacy risk and update the assessment on an ongoing basis.

1.4 Organizationally-tailored control baselines and CSF profiles (optional). Establish, document, and publish tailored control baselines and cybersecurity framework profiles.

1.5 Common control identification. Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.

1.6 Impact level prioritization. Prioritize systems within the same impact level.

1.7 Continuous monitoring strategy, organization. Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.

1.8 Mission or business focus. Identify the missions, business functions, and business processes that the system is intended to support.

1.9 System stakeholders. Identify stakeholders with an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system.

1.10 Asset identification. Identify the assets that require protection.

1.11 Authorization boundary. Determine the authorization boundary of the system.

1.12 Information types. Identify the types of information to be processed, stored, or transmitted by the system.

1.13 Information life cycle. Identify and understand all stages of the information life cycle for each information type.

1.14 Risk assessment, system. Conduct a system-level risk assessment and update it on an ongoing basis.

1.15 Requirements definition. Define the security and privacy requirements for the system and its environment of operation.

1.16 Enterprise architecture. Determine the placement of the system within the enterprise architecture.

1.17 Requirements allocation. Allocate security and privacy requirements to the system and to its environment of operation.

1.18 System registration. Register the system with the appropriate organizational program or management office.

2. Categorize

Inform the organization’s risk management processes by determining the adverse impact of losing confidentiality, integrity, or availability of organizational systems and information.

2.1 System description. Document the characteristics of the system.

2.2 Security categorization. Categorize the system and document the categorization results.

2.3 Security categorization review and approval. Review and approve the security categorization results and decision.

3. Select

Tailor, select, and document the controls necessary to protect the system and the organization, commensurate with risk to operations, assets, individuals, and the Nation.

3.1 Control selection. Select the controls for the system and its environment of operation.

3.2 Control tailoring. Tailor the selected controls for the system and its environment of operation.

3.3 Control allocation. Allocate security and privacy controls to the system and to the environment of operation.

3.4 Document planned control implementations. Document the controls for the system in the security and privacy plans.

3.5 Continuous monitoring strategy, system. Develop and implement a system-level monitoring strategy that is consistent with, and supplements, the organizational strategy.

3.6 Plan review and approval. Review and approve the security and privacy plans for the system and its environment of operation.

4. Implement

Translate the security and privacy controls identified in the system security plan into an actual, working implementation.

4.1 Control implementation. Implement the controls as specified in the security and privacy plans.

4.2 Update control implementation information. Document any changes between the planned and the as-implemented state of the controls.

5. Assess

Determine whether the controls selected for implementation are operating correctly, working as intended, and producing the desired outcome against the security and privacy requirements.

5.1 Assessor selection. Select the assessor or assessment team appropriate for the type of control assessment.

5.2 Assessment plan. Develop, review, and approve the plans for assessing implemented controls.

5.3 Control assessments. Assess the security controls following the procedures defined in the security assessment plan.

5.4 Assessment reports. Prepare the reports documenting the findings and recommendations from the assessments.

5.5 Remediation actions. Run the initial remediation actions on the controls and reassess the remediated controls.

5.6 Plan of action and milestones. Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports.

6. Authorize

Provide accountability by requiring a senior management official to determine whether the security and privacy risk to organizational operations and assets is acceptable.

6.1 Authorization package. Assemble the authorization package and submit it to the authorizing official for an authorization decision.

6.2 Risk analysis and determination. Analyze and determine the risk from operating or using the system, or from providing common controls.

6.3 Risk response. Identify and implement the preferred course of action in response to the risk determined.

6.4 Authorization decision. Decide whether the risk from operating or using the system, or providing or using common controls, is acceptable.

6.5 Authorization reporting. Report the authorization decision and any control deficiencies that represent significant security or privacy risk.

7. Monitor

Maintain ongoing situational awareness about the security and privacy posture of the system and the organization to support risk management decisions.

7.1 System and environment changes. Monitor the system and its environment of operation for changes that affect its security and privacy posture.

7.2 Ongoing assessments. Assess the controls implemented within, and inherited by, the system in accordance with the continuous monitoring strategy.

7.3 Ongoing risk response. Respond to risk based on the results of ongoing monitoring, risk assessments, and outstanding items in the plans of action and milestones.

7.4 Authorization package updates. Update the plans, assessment reports, and plans of action and milestones based on the continuous monitoring results.

7.5 Security and privacy reporting. Report the security status of the system, including the effectiveness of the controls employed within and inherited by it, to the appropriate organizational officials on an ongoing basis, in accordance with the organization-defined monitoring strategy.

7.6 Ongoing authorization. Review the reported security status on an ongoing basis and determine whether the risk to operations, assets, individuals, other organizations, or the Nation remains acceptable.

7.7 System disposal. Implement a decommissioning strategy that executes the required actions when a system is removed from service.

Closing

Understanding what risk is and how it gets addressed with the NIST-RMF lets you do your part to keep your organization’s systems sound. The RMF is not a one-time project. It is an ongoing activity that supports the organizational mission and business functions, and the methodology is technology-neutral so it applies to any system without modification.

For small and medium-sized businesses, the RMF gives you a structured but flexible way to identify, protect, detect, respond, and recover. It also gives you the documentation you will need the first time a customer, a partner, or a regulator asks how you manage risk.

If you are adopting the NIST-RMF for the first time, start with Prepare. The work you do there sets the ceiling for everything that follows. If you want help adapting these steps to your environment, that is the work I do.