An introduction to the NIST Risk Management Framework

The Risk Management Framework (RMF) is a set of information security policies and standards the federal government developed by The National Institute of Standards and Technology (NIST).

The RMF is explicitly covered in the following NIST publications:

Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” describes the formal RMF certification and accreditation process.

Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” describes a structured process for integrating information security and risk management activities into system development from start to finish.

An organization will select system security controls and apply them organization-wide via an information security program, where organizational risk management is considered.

What is organizational risk, and how can you take a risk-based approach to cybersecurity?

Organizational risk is a systematic, structured way of identifying, assessing, and rating the risks an organization faces, in this case within the context of systems operations.

The NIST RMF provides an effective framework to facilitate decision-making to select appropriate security controls.

The RMF applies a risk-based approach that considers effectiveness, efficiency, and restrictions due to regulations, directives, executive orders, policies, and other rules.

The RMF has identified the following activities, which can be applied to both new and legacy systems, that are implementable with an effective ISMS (information security management system).

The RMF approach in six steps

  1. Categorize – Classify and label the information processed, stored, and shared, and the systems that are used; this is done based on an impact analysis
  2. Select – Review the categorization and select baseline security controls; revise and add to the security control baseline as necessary, based on organization assessment of risk and local conditions
  3. Implement – Instill the security controls and integrate with legacy systems; document how the controls are arrayed within the system and their effects on the environment
  4. Assess – Evaluate the security controls to determine whether or not they are implemented correctly, and their quality and effectiveness
  5. Authorize – top management tests and approves the secured system based on the accepted risk appetite to operations and assets (how much risk the organization is willing to tolerate). Management also considers the system’s operational impact on individuals, other organizations, and the US. It will identify how much risk is still present, and either authorize it or decide on changes needed.
  6. Monitor – Set up an ongoing monitoring and assessment schedule for security controls to measure effectiveness. Document system or operation adjustments, and include impact analyses of changes made. Report findings to information security officials

As the RMF is meant to be a continual cycle, you can then start again from step one, all the way through to step six to account for changes in the environment or to the system itself.

Risk Management Framework steps
A systematic and measurable approach to cybersecurity is vital to protecting your organization

To ensure the safety of personal data and maintain trust with customers, it is essential that you take adequate measures to protect your private data.

How IT Governance USA can help

We recommend that organizations refer to ISO 27001, among other best practice standards and guidelines, within the Framework.

ISO 27001 is the international standard that helps organizations achieve ISMS best practice.

Achieving ISO 27001-accredited certification is a strong indication that your company is taking the proper measures to protect consumer data and effectively manage data breach events.

ISO 27001-approved certification does not come easy – the process can be long and challenging, depending on your organization’s resources.

To assist, IT Governance offers a four-day training course combining its ISO27001 Foundation (CIS F) and Lead Implementer (CIS LI) courses. The program provides a complete introduction to ISO 27001 and its requirements, covering all the steps involved in planning, implementing, and maintaining an ISO 27001-compliant ISMS.

Book a place on our ISO27001 Foundation and Lead Implementer Combination Course for a 15% saving on the two separate courses.

ISO 27001 Foundation and Lead Implementer Combination Course

Related Posts

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specializing in aesthetics and technology.

One Response

  1. John Glover March 20, 2018

    Authorize – top management tests and approves the secured system based on the accepted risk appetite to operations and assets (how much risk the organization is willing to tolerate). Management also considers the system’s operational impact on individuals, other organizations, and the US as a whole. It will identify how much risk is still present, and either authorize it or decide on changes needed.

    My serious concern with this step is that, due to the abysmal record of management being able to make a competent call about risk appetite because of corporate greed and apathy, this is a very subjective area. Other than holding management’s feet to the “due care” fire we are faced with the reality that “bigger fish to fry” will skew the judgement call.