The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for "Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," which has been available for FISMA compliance since 2004. It was updated in December 2018 to revision 2.
This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes. It was most recently integrated into DoD instructions, and many organizations are now creating new guidance for compliance to the RMF.
For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring). Revision 2 of the RMF was the first NIST publication to address both privacy and security risk management in an integrated methodology.
Risk Management Framework Steps
The RMF is a now a seven-step process as illustrated below:
Step 1: Prepare
This step was an addition to the Risk Management Framework in Revision 2. Tasks in the Prepare step are meant to support the rest of the steps of the framework. The step is mainly comprised of guidance from other NIST publications, requirements as set by the Office of Management and Budget (OMB) policy, or a combination of the two. In some cases Organizations may find they have implemented some of the tasks from the Prepare step as part of their risk management program. The purpose of this step was to “reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.”
See the RMF Quick Start guide on Prepare for more details.
Step 2: Categorize Information Systems
This step is all administrative and involves gaining an understanding of the organization. Prior to categorizing a system, the system boundary should be defined. Based on that system boundary, all information types associated with the system can and should be identified. Information about the organization and its mission, its roles and responsibilities as well as the system’s operating environment, intended use and connections with other systems may affect the final security impact level determined for the information system.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253.
Step 3: Select Security Controls
Security controls are the management, operational and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity and availability of the system and its information. Assurance boosts confidence in the fact that the security controls implemented within an information system are effective in their application.
References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253.
Step 4: Implement Security Controls
Step 3 requires an organization to implement security controls and describe how the controls are employed within the information system and its environment of operation. Policies should be tailored to each device to align with the required security documentation.
References: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Step 5: Assess Security Controls
Assessing the security controls requires using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system.
References: NIST Special Publication 800-53A, NISTIR 8011.
Step 6: Authorize Information System
The authorize information system operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations and the nation resulting from the operation of the information system and the decision that this risk is acceptable. Use reporting is designed to work with POA&M (Plan of Action & Milestones). This provides the tracking and status for any failed controls.
References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A.
Step 7: Monitor Security Controls
Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies and mission/business processes. While the use of automated support tools is not required, risk management can become near real-time through the use of automated tools. This will help with configuration drift and other potential security incidents associated with unexpected changes on different core components and their configurations as well as provide ATO (Authorization to Operate) standard reporting.
More NIST Risk Management Framework Resources
To sum things up, the Risk Management Framework places standards across government by aligning controls and language and improving reciprocity. It allows a focus on risk to address the diversity of components, systems and custom environments as opposed to using a one-size-fits-all solution. It builds security into systems and helps address security concerns faster. Overall, federal agency cybersecurity will be accomplished via continuous monitoring and better roll-up reporting.