The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004. It was updated in December 2018 to revision 2.
This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes. It was most recently integrated into DoD instructions, and many organizations are now creating new guidance for compliance to the RMF.
For all federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring). Revision 2 of the RMF was the first NIST publication to address both privacy and security risk management in an integrated methodology.
Risk Management Framework Steps
The RMF is a now a seven-step process as illustrated below:
Step 1: Prepare
This step was an addition to the Risk Management Framework in Revision 2. Tasks in the Prepare step are meant to support the rest of the steps of the framework. The step is mainly comprised of guidance from other NIST publications, requirements as set by the Office of Management and Budget (OMB) policy, or a combination of the two. In some cases Organizations may find they have implemented some of the tasks from the Prepare step as part of their risk management program. The purpose of this step was to “reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.”
See the RMF Quick Start guide on Prepare for more details.
References: NIST Special Publications 800-30, 800-39, 800-18, 800-160 Volume 1, NISTIR 8062;
Step 2: Categorize Information Systems
This step is all administrative and involves gaining an understanding of the organization. Prior to categorizing a system, the system boundary should be defined. Based on that system boundary, all information types associated with the system can and should be identified. Information about the organization and its mission, its roles and responsibilities as well as the system’s operating environment, intended use and connections with other systems may affect the final security impact level determined for the information system.
Categorize Step Quick Start Guide
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253.
Step 3: Select Security Controls
Security controls are the management, operational and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity and availability of the system and its information. Assurance boosts confidence in the fact that the security controls implemented within an information system are effective in their application.
Select Step Quick Start Guide
References: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253.
Step 4: Implement Security Controls
Step 3 requires an organization to implement security controls and describe how the controls are employed within the information system and its environment of operation. Policies should be tailored to each device to align with the required security documentation.
Implement Step Quick Start Guide
References: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Step 5: Assess Security Controls
Assessing the security controls requires using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system.
Assess Step Quick Start Guide
References: NIST Special Publication 800-53A, NISTIR 8011.
Step 6: Authorize Information System
The authorize information system operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations and the nation resulting from the operation of the information system and the decision that this risk is acceptable. Use reporting is designed to work with POA&M (Plan of Action & Milestones). This provides the tracking and status for any failed controls.
Authorize Step Quick Start Guide
References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A.
Step 7: Monitor Security Controls
Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies and mission/business processes. While the use of automated support tools is not required, risk management can become near real-time through the use of automated tools. This will help with configuration drift and other potential security incidents associated with unexpected change on different core components and their configurations as well as provide ATO (Authorization to Operate) standard reporting.
Monitor Step Quick Start Guide
References: NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212.
More NIST Risk Management Framework Resources
To sum things up, the Risk Management Framework places standards across government by aligning controls and language and improving reciprocity. It allows a focus on risk to address the diversity of components, systems and custom environments as opposed to using a one-size-fits-all solution. It builds security into systems and helps address security concerns faster. Overall, federal agency cybersecurity will be accomplished via continuous monitoring and better roll-up reporting.
NIST SP 800-37r2 Guide