The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004.
This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes. It was most recently integrated into DoD instructions, and many organizations are now creating new guidance for compliance to the RMF.
For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).
Risk Management Framework Steps
The RMF is a six-step process as illustrated below:
Step 1: Categorize Information Systems
This step is all administrative and involves gaining an understanding of the organization. Prior to categorizing a system, the system boundary should be defined. Based on that system boundary, all information types associated with the system can and should be identified. Information about the organization and its mission, its roles and responsibilities as well as the system’s operating environment, intended use and connections with other systems may affect the final security impact level determined for the information system.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60; CNSS Instruction 1253.
Step 2: Select Security Controls
Security controls are the management, operational and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity and availability of the system and its information. Assurance boosts confidence in the fact that the security controls implemented within an information system are effective in their application.
References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253.
Step 3: Implement Security Controls
Step 3 requires an organization to implement security controls and describe how the controls are employed within the information system and its environment of operation. Policies should be tailored to each device to align with the required security documentation.
References: FIPS Publication 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Step 4: Assess Security Controls
Assessing the security controls requires using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system.
References: NIST Special Publication 800-53A, 800-30, 800-70.
Step 5: Authorize Information System
The authorize information system operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations and the nation resulting from the operation of the information system and the decision that this risk is acceptable. Use reporting is designed to work with POA&M (Plan of Action & Milestones). This provides the tracking and status for any failed controls.
References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A.
Step 6: Monitor Security Controls
Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies and mission/business processes. While the use of automated support tools is not required, risk management can become near real-time through the use of automated tools. This will help with configuration drift and other potential security incidents associated with unexpected change on different core components and their configurations as well as provide ATO (Authorization to Operate) standard reporting.
References: NIST Special Publications 800-30, 800-39, 800-53A, 800-53, 800-137; CNSS Instruction 1253.
More NIST Risk Management Framework Resources
To sum things up, the Risk Management Framework places standards across government by aligning controls and language and improving reciprocity. It allows a focus on risk to address the diversity of components, systems and custom environments as opposed to using a one-size-fits-all solution. It builds security into systems and helps address security concerns faster. Overall, federal agency cybersecurity will be accomplished via continuous monitoring and better roll-up reporting.
To learn more about RMF and how to apply it in your programs, read our whitepaper: “Adjusting to the reality of the RMF.”
NIST SP 800-37 Guide
P.S. – Special thanks go to Sean Sherman for the material he helped put together on the Risk Management Framework that went into this article.