Risk Management Framework

Last updated June 12, 2024

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems (computers and networks) developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.^[1]^[2]

Overview

The main document that describes the details of RMF is NIST Special Publication 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy".^[3] This is the second revision of this document and supersedes the first revision "Guide for Applying the Risk Management Framework to Federal Information Systems".^[1]

The various steps of the RMF link to several other NIST standards and guidelines, including NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations".

The RMF steps include:

Prepare to execute the RMF by establishing a context and priorities for managing security and privacy risk at organizational and system levels.^[4]^[5]
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.^[6]^[7]^[8]
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. If any overlays apply to the system they will be added in this step.^[2]^[9]
Implement the security controls identified in step 2.^[2]
Assess: a third party assesses the controls and verifies that the controls are properly applied to the system.^[10]
Authorize: the information system is granted or denied an Authorization to Operate (ATO), in some cases it may be postponed while certain items are fixed. The ATO is based on the report from the Assessment phase. ATO is typically granted up to 3 years and the process needs to be repeated at the end of the period.^[3]
Monitor the security controls in the information system continuously in a pre-planned fashion as documented earlier in the process.^[5]

History

The Tentrilistic-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security.^[11]

Congress later passed FISMA 2014 (Federal Information Security Modernization Act) to provide improvements over FISMA 2002 by:

Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by
Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting."^[12]

FISMA required the protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity and Availability.^[13] Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:

Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. This task was satisfied by FIPS Publication 199;^[8]
Guidelines recommending the types of information and information systems to be included in each category. This task was satisfied by NIST Special Publication 800-60, Volumes 1 and 2;^[6]^[7] and
Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. This task was satisfied by the development of FIPS Publication 200.^[9]

NIST 800-37 (Risk Management Framework or RMF) was developed to help organizations manage security and privacy risk, and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 (FISMA), the Privacy Act of 1974, OMB policies, and Federal Information Processing Standards, among other laws, regulations, and policies.^[3]

Risks

During its lifecycle, an information system will encounter many types of risk that affect the overall security posture of the system and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risk can be categorized at high level as infrastructure risks, project risks, application risks, information asset risks, business continuity risks, outsourcing risks, external risks and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks focus on the damage, loss or disclosure to an unauthorized part of information assets. Business continuity risks focus on maintaining a reliable system with maximum up-time. Outsourcing risks focus on the impact of 3rd party supplier meeting their requirements.^[14] External risks are items outside the information system control that impact the security of the system. Strategic risks focuses on the need of information system functions to align with the business strategy that the system supports.^[15]

Revision 2 updates

The major objectives for the update to revision 2 included the following:^[16]

Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
Demonstrate how the NIST Cybersecurity Framework^[17] can be aligned with the RMF and implemented using established NIST risk management processes;
Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1,^[18] with the relevant tasks in the RMF;
Integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53 Revision 5.^[19]

Revision 2 also added a new "Prepare" step in position zero to achieve more effective, efficient, and cost-effective security and privacy risk management processes.^[16]

Related Research Articles

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

A federal enterprise architecture framework (FEAF) is the U.S. reference enterprise architecture of a federal government. It provides a common approach for the integration of strategic, business and technology management as part of organization design and performance improvement.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The National Information Assurance Certification and Accreditation Process (NIACAP) formerly was the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national-security information. NIACAP was derived from the Department of Defense Certification and Accreditation Process (DITSCAP), and it played a key role in the National Information Assurance Partnership.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a deprecated United States Department of Defense (DoD) process meant to ensure companies and organizations applied risk management to information systems (IS). DIACAP defined a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS which maintained the information assurance (IA) posture throughout the system's life cycle.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally indented for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

The Enterprise Mission Assurance Support Service (eMASS) is a service-oriented computer application that supports Information Assurance (IA) program management and automates the Risk Management Framework (RMF) process.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems" was developed by the Joint Task Force Transformation Initiative Working Group. The first revision aimed to transform the traditional Certification and Accreditation (C&A) process into the Risk Management Framework (RMF), and the second version addressed privacy controls in a more central manner, and added a preparatory step.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The National Cybersecurity Center of Excellence (NCCoE) is a US government organization that builds and publicly shares solutions to cybersecurity problems faced by U.S. businesses. The center, located in Rockville, Maryland, was established in 2012 through a partnership with the National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County. The center is partnered with nearly 20 market-leading IT companies, which contribute hardware, software and expertise.

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series; a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

References

1 2 Guide for Applying the Risk Management Framework to Federal Information Systems
1 2 3 Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)
1 2 3 Force, Joint Task (2018-12-20). "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy".{{cite journal}}: Cite journal requires |journal= (help)
↑ Initiative, Joint Task Force Transformation (2012-09-17). "Guide for Conducting Risk Assessments".{{cite journal}}: Cite journal requires |journal= (help)
1 2 Dempsey, Kelley; Chawla, Nirali; Johnson, L.; Johnston, Ronald; Jones, Alicia; Orebaugh, Angela; Scholl, Matthew; Stine, Kevin (2011-09-30). "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)
1 2 Stine, Kevin; Kissel, Richard; Barker, William; Fahlsing, Jim; Gulick, Jessica (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories".{{cite journal}}: Cite journal requires |journal= (help)
1 2 Stine, Kevin; Kissel, Richard; Barker, William; Lee, Annabelle; Fahlsing, Jim (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices".{{cite journal}}: Cite journal requires |journal= (help)
1 2 Technology, National Institute of Standards and (2004-02-01). "Standards for Security Categorization of Federal Information and Information Systems".{{cite journal}}: Cite journal requires |journal= (help)
1 2 Technology, National Institute of Standards and (2006-03-01). "Minimum Security Requirements for Federal Information and Information Systems".{{cite journal}}: Cite journal requires |journal= (help)
↑ Initiative, Joint Task Force Transformation (2014-12-18). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans".{{cite journal}}: Cite journal requires |journal= (help)
↑ "govinfo". www.govinfo.gov. Retrieved 2021-07-18.
↑ "Federal Information Security Modernization Act | CISA". www.cisa.gov. Retrieved 2021-07-18.
↑ Carper, Thomas R. (2014-12-18). "Text - S.2521 - 113th Congress (2013-2014): Federal Information Security Modernization Act of 2014". www.congress.gov. Retrieved 2021-07-18.
↑ IT Risk Management Framework for Business Continuity by Change Analysis of Information System
↑ An Empirical Study on the Risk Framework Based on the Enterprise Information System
1 2 Computer Security Division, Information Technology Laboratory (2018-12-18). "RMF Update: NIST Publishes SP 800-37 Rev. 2 | CSRC". CSRC | NIST. Retrieved 2021-07-26.
↑ nicole.keller@nist.gov (2013-11-12). "Cybersecurity Framework". NIST. Retrieved 2021-07-26.
↑ Ross, Ron; McEvilley, Michael; Oren, Janet (2018-03-21). "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems".{{cite journal}}: Cite journal requires |journal= (help)
↑ Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Guide for Applying the Risk Management Framework to Federal Information Systems

[:2-2] 1 2 3 Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)

[:3-3] 1 2 3 Force, Joint Task (2018-12-20). "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy".{{cite journal}}: Cite journal requires |journal= (help)

[4] Initiative, Joint Task Force Transformation (2012-09-17). "Guide for Conducting Risk Assessments".{{cite journal}}: Cite journal requires |journal= (help)

[:1-5] 1 2 Dempsey, Kelley; Chawla, Nirali; Johnson, L.; Johnston, Ronald; Jones, Alicia; Orebaugh, Angela; Scholl, Matthew; Stine, Kevin (2011-09-30). "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)

[Stine-6] 1 2 Stine, Kevin; Kissel, Richard; Barker, William; Fahlsing, Jim; Gulick, Jessica (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories".{{cite journal}}: Cite journal requires |journal= (help)

[csrc.nist.gov-7] 1 2 Stine, Kevin; Kissel, Richard; Barker, William; Lee, Annabelle; Fahlsing, Jim (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices".{{cite journal}}: Cite journal requires |journal= (help)

[Technology-8] 1 2 Technology, National Institute of Standards and (2004-02-01). "Standards for Security Categorization of Federal Information and Information Systems".{{cite journal}}: Cite journal requires |journal= (help)

[ReferenceA-9] 1 2 Technology, National Institute of Standards and (2006-03-01). "Minimum Security Requirements for Federal Information and Information Systems".{{cite journal}}: Cite journal requires |journal= (help)

[10] Initiative, Joint Task Force Transformation (2014-12-18). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans".{{cite journal}}: Cite journal requires |journal= (help)

[11] "govinfo". www.govinfo.gov. Retrieved 2021-07-18.

[12] "Federal Information Security Modernization Act | CISA". www.cisa.gov. Retrieved 2021-07-18.

[13] Carper, Thomas R. (2014-12-18). "Text - S.2521 - 113th Congress (2013-2014): Federal Information Security Modernization Act of 2014". www.congress.gov. Retrieved 2021-07-18.

[14] IT Risk Management Framework for Business Continuity by Change Analysis of Information System

[15] An Empirical Study on the Risk Framework Based on the Enterprise Information System

[:4-16] 1 2 Computer Security Division, Information Technology Laboratory (2018-12-18). "RMF Update: NIST Publishes SP 800-37 Rev. 2 | CSRC". CSRC | NIST. Retrieved 2021-07-26.

[17] .keller@nist.gov (2013-11-12). "Cybersecurity Framework". NIST. Retrieved 2021-07-26.

[18] Ross, Ron; McEvilley, Michael; Oren, Janet (2018-03-21). "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems".{{cite journal}}: Cite journal requires |journal= (help)

[19] Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]