This is a brief summary about the basics of the NIST 800-37 Rev 2 – Risk Management Framework (RMF). Link to the course I took is at the bottom of this post. Included are the main points from the course (in chronological order); the most important section is perhaps the last part which describes in detail the seven steps of the RMF.
Each federal agency is required to develop, document, and implement an agency wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source. Part of FISMA (Federal Information Security Modernization Act – 2002, and 2014)
FISMA requires federal organizations to: Provide information security protections commensurate with assessed risk; Ensure senior leaders provide information security for assets under their control; Ensure the organization has trained personnel to assist in complying with FISMA and related policies; Provide annual reports on the adequacy and effectiveness of information security, policies, procedures, and practices; Develop, document and implement an information security program; Develop and maintain an inventory of systems under the control of the organization; Develop security awareness training to inform personnel of information security risks; Perform an independent evaluation of the information security program and practices to determine program and practices effectiveness.
NIST SP800-37 Purpose is to: Promote an organization-wide risk management process to include privacy and information security risk; Manage privacy and information security risk consistent with mission/business objectives and the overall risk strategy; Ensure consistent risk posture throughout organization; Integrate security and privacy requirements into the organization’s enterprise architecture; Establish who is accepting risk for the system and organization; Provide senior leaders the necessary information about organization’s risk posture to make informed decisions.
Each step/task of the RMF is aligned with existing system security engineering processes (where applicable).
Organization wide Risk Management –
Level 1 – Organization
Level 2 – Mission/ Business Process
Level 3 – System (Environment of Operation)
Level 1 is more strategic focus, where level 3 is granular/tactical approach to risk. There should be bi-directional information flows between the different levels of the organization.
Risk Management is a comprehensive process that requires:
Framing Risk – establish a risk context by describing the decision making environment
Assessing Risk – identify threat sources and vulnerabilities, potential impact, and likelihood
Responding to Risk – provide consistent response – developing and evaluating courses of action
Monitoring Risk – verify risk response measures are implemented and determine effectiveness
Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
Authorization Boundaries – Establish the scope of protection for systems; Defines the scope of the authorizing official’s responsibility and accountability for protecting information resources and individuals’ privacy. Organizations have flexibility in determining this boundary. Considerations for determining authorization boundaries may include systems under same direct management, similar mission/business functions, requirements, security/privacy concerns, cost. Systems can be broken into sub-systems which have their own boundaries, all under the umbrella of the grander Authorization Boundary.
Ongoing – Subsequent risk determinations, and risk decisions
Everyone has a role. These can include Authorizing Official, C-Suite Officials, Enterprise Architect, Information Owner, Risk Executive, Security/Privacy Architect, System Owner, etc.