Notes on NIST Risk Management Framework

This is a brief summary about the basics of the NIST 800-37 Rev 2 – Risk Management Framework (RMF). Link to the course I took is at the bottom of this post. Included are the main points from the course (in chronological order); the most important section is perhaps the last part which describes in detail the seven steps of the RMF.



Each federal agency is required to develop, document, and implement an agency wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source. Part of FISMA (Federal Information Security Modernization Act – 2002, and 2014)

FISMA requires federal organizations to: Provide information security protections commensurate with assessed risk; Ensure senior leaders provide information security for assets under their control; Ensure the organization has trained personnel to assist in complying with FISMA and related policies; Provide annual reports on the adequacy and effectiveness of information security, policies, procedures, and practices; Develop, document and implement an information security program; Develop and maintain an inventory of systems under the control of the organization; Develop security awareness training to inform personnel of information security risks; Perform an independent evaluation of the information security program and practices to determine program and practices effectiveness.



NIST SP800-37 Purpose is to: Promote an organization-wide risk management process to include privacy and information security risk; Manage privacy and information security risk consistent with mission/business objectives and the overall risk strategy; Ensure consistent risk posture throughout organization; Integrate security and privacy requirements into the organization’s enterprise architecture; Establish who is accepting risk for the system and organization; Provide senior leaders the necessary information about organization’s risk posture to make informed decisions.

Each step/task of the RMF is aligned with existing system security engineering processes (where applicable). 



Organization wide Risk Management – 

Level 1 – Organization
Level 2 – Mission/ Business Process
Level 3 – System (Environment of Operation)

Level 1 is more strategic focus, where level 3 is granular/tactical approach to risk. There should be bi-directional information flows between the different levels of the organization. 

Risk Management is a comprehensive process that requires:

    Framing Risk – establish a risk context by describing the decision making environment
    Assessing Risk – identify threat sources and vulnerabilities, potential impact, and likelihood
    Responding to Risk – provide consistent response – developing and evaluating courses of action
    Monitoring Risk – verify risk response measures are implemented and determine effectiveness


Steps and Structure:

There are seven steps in the RMF:
Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
These are detailed in the following section.
Each step in the RMF has a purpose statement, set of outcomes, and tasks that are carried out to achieve those outcomes captured in the Step Summary
Executing the RMF requires close collaboration between security and privacy programs. While these programs have different objectives, they overlap.

Authorization Boundaries – Establish the scope of protection for systems; Defines the scope of the authorizing official’s responsibility and accountability for protecting information resources and individuals’ privacy. Organizations have flexibility in determining this boundary. Considerations for determining authorization boundaries may include systems under same direct management, similar mission/business functions, requirements, security/privacy concerns, cost. Systems can be broken into sub-systems which have their own boundaries, all under the umbrella of the grander Authorization Boundary.

Authorization Types: Type, Facility, Traditional, Joint
Type – Single for a common system, often in conjunction with facility
Facility – Authorizes common controls provided in a specific environment
Traditional – Single official in senior leadership responsible/accountable for common controls
Joint – Multiple officials having a shared interest in authorizing a system
Initial – Based on a complete zero-based review of the system
Ongoing – Subsequent risk determinations, and risk decisions
Re-Authorization – Static point in time risk determination/acceptance that occurs after initial
What authorization decisions are there? Authorization to Operate, Common Control, Authorization to use, Denial of Authorization
Risk management roles and responsibilities
Everyone has a role. These can include Authorizing Official, C-Suite Officials, Enterprise Architect, Information Owner, Risk Executive, Security/Privacy Architect, System Owner, etc.
The Authorizing Official is a senior executive with responsibility to Authorize a system. They Consult with multiple organizational personnel and other parties. For Federal agencies, this role is a US Government function and is assigned to government personnel only.


-Managing risk is a complex multifaceted activity that requires the involvement of the entire organization

-Privacy, security and supply chain risk management is not a static process
-Authorization boundary defines the system for RMF execution to facilitate risk management and accountability, define for an account for flow of information through the system
-Security and privacy programs require close collaboration, defining roles and responsibilities allows an organization to effectively accomplish specific tasks, manage security and privacy risks, and clarify expectations
-Authorizing officials should not feel pressures into accepting risk that is not consistent with the organizational risk tolerance
-The RMF describes the roles and responsibilities of key participants involved in an organization’s risk management process. Across organizations, there may be differences in naming conventions and how responsibilities are allocated among personnel.


Risk Management Framework:

Provides organizations with:
-A structured/flexible process for managing risk
-Guidance for determining the appropriate risk mitigation
-A repeatable methodology that balances mission/business goals with security requirements and policy guidance
-A process for continuous monitoring resulting in improvement of security posture
-A technology-neutral methodology that can be applied to any type of information system without modification
Seven Steps of the RMF:
Prepare – 
Organizational level = P1-P7
System level = P8-P18
Help an organization be more efficient and cost effective in managing risk.
Organizational: Roles, strategy, risk assessment (organization), common control identification, etc.
System: Stakeholders, asset ID, authorization boundary, information life cycle, risk assessment (system), requirements, etc.
Inform organizational risk management process and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.
Document characteristics of the system, security categorization, and review/approve
Select – 
Select tailor, and document the controls necessary to protect the system and organization commensurate with risk to organizational operations and assets, individuals, and the Nation.
Control selection, Tailoring, Allocation, Document, Monitor, Plan Review/Approval

Implement the controls identified in the system security plan
I1, I2
Implement the controls as specified in the security and privacy plan, Document changes to planned control implementations based on as-built.

Assess –  
Once controls are implemented, they should be assessed for effectiveness. Determine the extent to which the controls are implemented correctly, operating as intended, and producing the required outcome with respect to meeting the security requirements of the system.
Select an assessor/assessment team, make an assessment plan, assess the security controls, report, develop remediation actions, plan of action/milestones

Authorize – 
Provide accountability by requiring a senior management official to determine if the security and privacy risk to the organizational operations and assets, individuals, other organizations, or the Nation of operating a system or the use of common controls, is acceptable. 
Authorization package (security/privacy plan, assessment reports, action/milestones, executive summary), risk analysis, risk response, authorization decision, reporting

Maintain an ongoing situational awareness about the security and privacy posture of the system and risk management decision-making process
System and environment changes, ongoing assessments, ongoing risk response, authorization package updates, security and privacy reporting, ongoing authorization, system disposal.


Link to the course (3 hours)