Risk Management Framework (RMF)

RMF Overview

The NIST Risk Management Framework (RMF) was developed in order to create a universal framework that federal agencies must use to protect information systems. It is a comprehensive, flexible, repeatable, and measurable 7-step process. The 7 steps (prepare, categorize, select, implement, assess, authorize, and monitor) are designed for any organization to use to manage information security and privacy risk. NIST has built a catalog of security controls (SP 500-83) to be used in developing security and privacy plans for an organization. The risk management framework is not the same for every organization, which is why it can be applied universally. It is used to fit each organization’s needs individually.

The NIST RMF has replaced previous risk management certification processes used for federal agencies, and it is currently being used to manage risk in every operating system in the federal government. Although it is required for federal agencies, it is also being used amongst private organizations for its ability to minimize risk.

RMF: Ist “A MUST HAVE” for organizations

The Risk Management Framework (RMF), published by the National Institute of Standards and Technology (NIST) is a relatively new set of standards and guidelines, but it has proved to be one of the most effective risk management frameworks today. Federal agencies are required to implement RMF and become authorized to operate, but for organizations in the private sector, RMF authorization is not required. However, this doesn’t mean that private organizations don’t or shouldn’t become authorized. RMF creates a strong template for efficient risk management, a key part of running an organization in today’s cyber world.

Managing risk to your organization is highly important to effectively secure and protect information and programs. RMF can be applied to new and old systems, and will work regardless of the category and size of the organization. RMF ‘simplifies’ what would otherwise be a very complex and overwhelming process. It creates structure within a difficult part of managing an organization, and gives you an outline – what you should do, in what order you should do it, and how to maintain it. It integrates information security and privacy activities into one large life cycle, where risk can be identified, managed, and continuously monitored. It essentially outlines a format that, when followed properly, will ensure that risk is managed in the best way it possibly can.

NIST also uses a public review process from organizations in both the private and public sectors in order to ensure that every FISMA security standard and guideline are correct and implementable. Risk management should be an essential part of both public and private organizations in the modern cyber world, and the NIST’s RMF makes it both easily accessible and implementable.

RMF is required for federal organizations and especially important for those handling important/large information systems, but many private organizations do not use RMF. Risk management may be overwhelming, or seem time costly to implement, but in the long run, having a solid foundation to stand on when making risk-based decisions will prove incredibly important. The Risk Management Framework will help a private organization both explicitly and implicitly – from building attractiveness with investors to protecting client information, RMF can help a business grow in a multitude of ways.

One of the most important ways it can help an organization in the private sector is by improving its reputation – as mentioned, investors are far more likely to invest (especially in the modern cyber world) in an organization that has an effective risk management strategy. It actively allows an organization to work towards preparing for and building overall resilience against threats, for making better risk-based decisions, and for focusing more on the goals of the organization with risk covered – all factors that will help a private organization in the market.

The Development of RMF by NIST

RMF is the framework for complying with a large compilation of guidelines or standards that NIST developed in order to combine information security and privacy management into one large risk management system. Largely based on the Federal Information Security Modernization Act (FISMA), RMF was developed to ensure federal agencies had a universal framework with which to manage risk effectively. FISMA essentially established the requirements of a risk management program, and RMF is a format that specifically determines how that program is implemented in order to reach authorization.

According to NIST, there are a few main goals behind the development of RMF. NIST wished to create reciprocity with risk management among federal agencies. NIST wanted a format that could be followed and completed in a similar fashion by every different agency, yet still have enough elasticity to address the differentiation between agencies. The point of a universal risk management framework within the federal government is to help strengthen risk management in general and to improve information security. The cyber world holds some of the most important information, and the cyber connections between federal agencies means that a deficiency in one can lead to a catastrophic attack across the nation. With proper risk management however, that can be avoided.

Originally, NIST operated with a process referred to as C&A(Certification and Accreditation). For example, the DoD operated under the ‘DoD information Assurance Certification and Accreditation Process’ (DIACAP). This process essentially had the same goal as RMF: to ensure that organizations applied risk management to information systems. C&A required that a variety of security controls and standards were applied to information systems, similarly to RMF. What makes them different is that RMF is meant to meet the requirements outlined by FISMA, and all security controls are picked from the NIST Special Publication 800-53. This publication is a control catalog, meaning it has all the controls possible to select from for compliance with RMF. In short, RMF has compiled and simplified the process of risk management from previous processes.

RMF was first developed by the DoD, and then adopted by the rest of the US federal agencies after being introduced as one of NIST’s special publications. The NIST SP 800-37 Rev. 1 was published in February 2010. This special publication was intended to transform the previous C&A process into what we now know as RMF. Although this initial revision worked well and was adopted by federal agencies, it lacked adequate central privacy controls and only had 6 steps. The second revision came over 8 years later in December of 2018, and this added the ‘prepare step’ and more common controls to the RMF we now know. RMF was developed and implemented with the broad goal of protecting information systems within the United States government.

Incorporating RMF – Is There Only One Way?

The essence of RMF is that it is a risk-based process. Each organization will plan differently, select and implement different controls, and possibly repeat different steps. The risk management framework is exactly what it says it is, a framework, so it leaves the organization a lot of room to suit it to their personal information security needs.

For context, the NIST SP 800-53 has over 1000 controls. No organization would ever need all of them, and this means that different organizations will often be choosing completely different catalogs of controls. The ‘Select’ and ‘Implement’ steps of RMF implementation process manage controls and are often repeated and take a large amount of time to pass authorization. This will proportionally affect an organization’s implementation process of RMF.

Not only will the selection and initial implementation of controls vary the process from organization to organization, but so will the continuous monitoring process. The process is intended to continuously monitor controls and the system as a whole, and every organization will build a different strategy to do this. While NIST’s RMF provides a solid framework for implementing RMF, the organization must take it into their own hands to implement it to suit their own needs.

The Process for RMF Design and Implementation

Prepare

• Essential activities that prepare the organization to manage security and privacy risks
  • Description
    • identify different roles for risk management
    • Establish an organization-wide strategy
    • Determine risk tolerance
    • Perform organization-wide risk assessment
    • Establish strategy to continuously monitor risk
    • Identify common controls

Categorize

• Categorize information/system based on the risk impact analysis
• Determine the impact of risk to a system’s process/task with respect to confidentiality, integrity, and information involved with the system. Advise risk management based on this impact.
  • Details
    • Document system characteristics
    • Categorize system and information
    • categorization decision reviewed/approved

Select

• Select the set of NIST SP 800-53 controls to protect the system based on risk assessments
  • Details
    • The security control baselines are selected
    • Controls are designated – system-specific, common, or hybrid
    • Controls are allocated to the specific parts of the system
    • Continuous monitoring strategy for the entire system is developed
    • Security/privacy plans that demonstrate previous selection, allocation, and designation of security controls is approved

Implement

• Implement the selected NIST SP 800-53 controls and document how they are deployed
  • Details
    • controls previously specified are implemented
    • security and privacy plans from the select step are updated to reflect controls as implemented

Assess

• Assess to determine if the NIST SP 800-53 controls are in place, operating as intended, and producing the desired results
  • Details
    • Assessor/assessment team is selected to perform assessment, and plan is developed, reviewed and approved
    • Assessment report developed
    • Any remediation actions necessary are taken
    • security/privacy plans are updated according to assessment
    • Plan of action/milestones developed

Authorize

• Senior official makes risk-based decision to authorize the system to operate
  • Details
    • authorization package (executive summary, system security/privacy plan, assessment report, plan of action and milestones)
    • risk determination rendered
    • risk responses provided
    • authorization is approved or denied

Monitor

• Continuously monitor 800-53 control implementation and risks to the system
  • Details
    • The system is monitored, and continuously assessed in accordance with the continuous monitoring strategy developed in the select step
    • The results of continuous monitoring strategy are analyzed
    • Ensure there is a framework for reporting security and privacy concerns to management
    • Ongoing authorization conducted based off results of continuous monitoring

How does an Organization Implement RMF?

Implementing RMF and becoming compliant may seem overwhelming at first, but it’s important to recognize that it will vary from organization to organization, and that it is a continuous process, meaning if you fail at one step or fail to reach compliance, it is possible to adjust and try again.

RMF is a risk-based process, meaning that different organizations will have to use different controls, thus changing the framework from organization to organization. This makes it harder to implement but effective upon compliance, as an organization can be certain that the controls that were selected and approved are the right choice. Implementing RMF will also vary based on how an organization performs on certain steps along the way, because steps are often repeated if they need to be adjusted. RMF is a lifecycle, not just paperwork that can be completed once and forgotten about.

These are the steps to implement and reach compliance:

• First, the organization must prepare to implement the Risk Management Framework. This essentially means performing risk-analyses in order to contextualize all security risks within the organization, and then informing the different levels/parts of the organization of their security risk and their role in implementing RMF.
• Next, the organization must categorize the different information systems by both the type of information being stored/processed, and also by the level of the risk apparent. With this step, the different levels of the organization will be able to start preparing the controls/baselines necessary. Some systems within an organization are more important than others, and this is why the categorization step is important.
• Once categories have been selected, then the relevant controls from the Special Publication 800-53 must be selected. Controls are selected in direct relation to the categorizations of information being protected and the level of risk posed to that information.
• After controls are selected, they must then be implemented. For example, a common control selected and implemented may be SP 800-53 PM-9, titled “Security and Privacy Controls for Information Systems and Organizations”. It requires that the organization develops comprehensive strategies for managing security risks to both operations and assets, and also privacy risks to individuals resulting from processing of personal information. This step in the process of becoming compliant within RMF is the most important, because without it, the risk management process in the organization wouldn’t change at all.
• After the controls are implemented, they are assessed. Organizations essentially need to make sure that the controls are working as intended. If an organization were to have implemented SP 800-53 PM-9, as mentioned above, then there are steps to assess that they must follow, in the same way there are steps to implement it that they must follow. This step is usually where the implementation of RMF differs from organization to organization. If there are flaws found, the organization either needs to return to step 4 and re-implement the controls successfully, or go all the way back to step 3 and choose new controls.
• If all goes well with the fourth and fifth steps of the process, then the next step in the process is to finally authorize the system to operate, meaning that the controls have been successfully chosen and implemented properly. The assessment team/operator has determined that the organization is compliant, and a senior level official will then give the green light to continue.
• Once the organization is operating normally with the Risk Management Framework implemented successfully, all that’s left to do is continuously monitor the system and the controls. The strategies previously developed need to be adhered to indefinitely, and the system should be regularly assessed to ensure it is keeping up with the standards of RMF.