Notes on NIST Risk Management Framework

This is a brief summary about the basics of the NIST 800-37 Rev 2 – Risk Management Framework (RMF). Link to the course I took is at the bottom of this post. Included are the main points from the course (in chronological order); the most important section is perhaps the last part which describes in detail the seven steps of the RMF.

_____________________________________________________________________

Background:

Each federal agency is required to develop, document, and implement an agency wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source. Part of FISMA (Federal Information Security Modernization Act – 2002, and 2014)

FISMA requires federal organizations to: Provide information security protections commensurate with assessed risk; Ensure senior leaders provide information security for assets under their control; Ensure the organization has trained personnel to assist in complying with FISMA and related policies; Provide annual reports on the adequacy and effectiveness of information security, policies, procedures, and practices; Develop, document and implement an information security program; Develop and maintain an inventory of systems under the control of the organization; Develop security awareness training to inform personnel of information security risks; Perform an independent evaluation of the information security program and practices to determine program and practices effectiveness.

_____________________________________________________________________

Purpose:

NIST SP800-37 Purpose is to: Promote an organization-wide risk management process to include privacy and information security risk; Manage privacy and information security risk consistent with mission/business objectives and the overall risk strategy; Ensure consistent risk posture throughout organization; Integrate security and privacy requirements into the organization’s enterprise architecture; Establish who is accepting risk for the system and organization; Provide senior leaders the necessary information about organization’s risk posture to make informed decisions.

Each step/task of the RMF is aligned with existing system security engineering processes (where applicable).

_____________________________________________________________________

Fundamentals:

Organization wide Risk Management –

Level 1 – Organization
Level 2 – Mission/ Business Process
Level 3 – System (Environment of Operation)

Level 1 is more strategic focus, where level 3 is granular/tactical approach to risk. There should be bi-directional information flows between the different levels of the organization.

Risk Management is a comprehensive process that requires:

   Framing Risk – establish a risk context by describing the decision making environment
   Assessing Risk – identify threat sources and vulnerabilities, potential impact, and likelihood
   Responding to Risk – provide consistent response – developing and evaluating courses of action
   Monitoring Risk – verify risk response measures are implemented and determine effectiveness

_____________________________________________________________________

Steps and Structure:

Steps

There are seven steps in the RMF:
Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

These are detailed in the following section.

Each step in the RMF has a purpose statement, set of outcomes, and tasks that are carried out to achieve those outcomes captured in the Step Summary

Executing the RMF requires close collaboration between security and privacy programs. While these programs have different objectives, they overlap.

Authorization
Authorization Boundaries – Establish the scope of protection for systems; Defines the scope of the authorizing official’s responsibility and accountability for protecting information resources and individuals’ privacy. Organizations have flexibility in determining this boundary. Considerations for determining authorization boundaries may include systems under same direct management, similar mission/business functions, requirements, security/privacy concerns, cost. Systems can be broken into sub-systems which have their own boundaries, all under the umbrella of the grander Authorization Boundary.

Authorization Types: Type, Facility, Traditional, Joint

Type – Single for a common system, often in conjunction with facility

Facility – Authorizes common controls provided in a specific environment

Traditional – Single official in senior leadership responsible/accountable for common controls

Joint – Multiple officials having a shared interest in authorizing a system

Initial – Based on a complete zero-based review of the system
Ongoing – Subsequent risk determinations, and risk decisions

Re-Authorization – Static point in time risk determination/acceptance that occurs after initial

What authorization decisions are there? Authorization to Operate, Common Control, Authorization to use, Denial of Authorization

Risk management roles and responsibilities
Everyone has a role. These can include Authorizing Official, C-Suite Officials, Enterprise Architect, Information Owner, Risk Executive, Security/Privacy Architect, System Owner, etc.

The Authorizing Official is a senior executive with responsibility to Authorize a system. They Consult with multiple organizational personnel and other parties. For Federal agencies, this role is a US Government function and is assigned to government personnel only.

_____________________________________________________________________

Summary:

-Managing risk is a complex multifaceted activity that requires the involvement of the entire organization

-Privacy, security and supply chain risk management is not a static process

-Authorization boundary defines the system for RMF execution to facilitate risk management and accountability, define for an account for flow of information through the system

-Security and privacy programs require close collaboration, defining roles and responsibilities allows an organization to effectively accomplish specific tasks, manage security and privacy risks, and clarify expectations

-Authorizing officials should not feel pressures into accepting risk that is not consistent with the organizational risk tolerance

-The RMF describes the roles and responsibilities of key participants involved in an organization’s risk management process. Across organizations, there may be differences in naming conventions and how responsibilities are allocated among personnel.

_____________________________________________________________________

Risk Management Framework:

Provides organizations with:

-A structured/flexible process for managing risk

-Guidance for determining the appropriate risk mitigation

-A repeatable methodology that balances mission/business goals with security requirements and policy guidance

-A process for continuous monitoring resulting in improvement of security posture

-A technology-neutral methodology that can be applied to any type of information system without modification

Seven Steps of the RMF:

Prepare –

Organizational level = P1-P7

System level = P8-P18

Help an organization be more efficient and cost effective in managing risk.

Organizational: Roles, strategy, risk assessment (organization), common control identification, etc.

System: Stakeholders, asset ID, authorization boundary, information life cycle, risk assessment (system), requirements, etc.

Categorize –

Inform organizational risk management process and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.

C1-C3

Document characteristics of the system, security categorization, and review/approve

Select –

Select tailor, and document the controls necessary to protect the system and organization commensurate with risk to organizational operations and assets, individuals, and the Nation.

S1-S6

Control selection, Tailoring, Allocation, Document, Monitor, Plan Review/Approval

Implement –

Implement the controls identified in the system security plan

I1, I2

Implement the controls as specified in the security and privacy plan, Document changes to planned control implementations based on as-built.

Assess –

Once controls are implemented, they should be assessed for effectiveness. Determine the extent to which the controls are implemented correctly, operating as intended, and producing the required outcome with respect to meeting the security requirements of the system.

A1-A6

Select an assessor/assessment team, make an assessment plan, assess the security controls, report, develop remediation actions, plan of action/milestones

Authorize –

Provide accountability by requiring a senior management official to determine if the security and privacy risk to the organizational operations and assets, individuals, other organizations, or the Nation of operating a system or the use of common controls, is acceptable.

R1-R5

Authorization package (security/privacy plan, assessment reports, action/milestones, executive summary), risk analysis, risk response, authorization decision, reporting

Monitor –

Maintain an ongoing situational awareness about the security and privacy posture of the system and risk management decision-making process
M1-M7

System and environment changes, ongoing assessments, ongoing risk response, authorization package updates, security and privacy reporting, ongoing authorization, system disposal.

_____________________________________________________________________

Link to the course (3 hours)

https://csrc.nist.gov/CSRC/media/Projects/risk-management/images-media/rmf-training/intro-course-v2_0/index.html