08. Risk Management Framework Example - NIST

Risk Management Framework Example - NIST

ND545 C4 L3 05 Risk Management Framework Example - NIST Video

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) was developed to be used by federal systems and contractors as a way of determining risk and applying security controls in a consistent manner. An overview of the framework can be found here: https://csrc.nist.gov/projects/risk-management/rmf-overview .

Generally, however, the NIST RMF operates at a higher level than what you might envision as a risk management framework in that it is intended to be a systematic approach to implementing security controls to help control risk as opposed to a framework developed for the specific purpose of assessing risk.

The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the National Institute of Standards and Technology (NIST).

It contains a 6-step process for implementing security controls for data and IT systems and dictates best practices and procedures federal agencies must follow when enabling a new system. In addition to the primary document SP 800-37, the RMF uses supplemental documents such as SP 800-30, SP 800-53, SP 800-53A, and SP 800-137. The supplemental documents can be found alongside the RMF overview.

The six steps are as follows:

#### Step 1: Categorize Information System
The system owner assigns a security rating to an IT system of data based on mission and business objectives.

Step 2: Select Security Controls

Security controls for the data or system are selected and approved by leadership.

Step 3: Implement Security Controls

Install, configure, and, etc. the selected security controls.

Step 4: Assess Security Controls

Security tools are assessed and any deficiencies are remediated.

Step 5: Authorize Information System

A risk assessment and risk determination are made about the system and whether it is able to operate given the risk, the system’s categorization, and risk level following the implementation of controls.

Step 6: Monitor Security Controls

Security controls are monitored and improved upon continuously.

Next Concept