fbpx
Wikipedia

Risk Management Framework

October 26, 2023

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems (computers and networks) developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.[1] [2]

Risk Management Framework (RMF) Rev. 2 seven step process


Overview Edit

The main document that describes the details of RMF is NIST Special Publication 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy".[3] This is the second revision of this document and supersedes the first revision "Guide for Applying the Risk Management Framework to Federal Information Systems".[1]

The various steps of the RMF link to several other NIST standards and guidelines, including NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations".

The RMF steps include:

  • Prepare to execute the RMF by establishing a context and priorities for managing security and privacy risk at organizational and system levels.[4][5]
  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.[6][7][8]
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. If any overlays apply to the system they will be added in this step.[2][9]
  • Implement the security controls identified in step 2.[2]
  • Assess: a third party assesses the controls and verifies that the controls are properly applied to the system.[10]
  • Authorize: the information system is granted or denied an Authorization to Operate (ATO), in some cases it may be postponed while certain items are fixed. The ATO is based on the report from the Assessment phase. ATO is typically granted up to 3 years and the process needs to be repeated at the end of the period.[3]
  • Monitor the security controls in the information system continuously in a pre-planned fashion as documented earlier in the process.[5]

History Edit

The E-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security.[11]

Congress later passed FISMA 2014 (Federal Information Security Modernization Act) to provide improvements over FISMA 2002 by:

  • Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
  • Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by
  • Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting."[12]

FISMA required the protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity and Availability.[13] Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:

  • Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. This task was satisfied by FIPS Publication 199;[8]
  • Guidelines recommending the types of information and information systems to be included in each category. This task was satisfied by NIST Special Publication 800-60, Volumes 1 and 2;[6][7] and
  • Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. This task was satisfied by the development of FIPS Publication 200.[9]

NIST 800-37 (Risk Management Framework or RMF) was developed to help organizations manage security and privacy risk, and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 (FISMA), the Privacy Act of 1974, OMB policies, and Federal Information Processing Standards, among other laws, regulations, and policies.[3]

Risks Edit

During its lifecycle, an information system will encounter many types of risk that affect the overall security posture of the system and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risk can be categorized at high level as infrastructure risks, project risks, application risks, information asset risks, business continuity risks, outsourcing risks, external risks and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks focus on the damage, loss or disclosure to an unauthorized part of information assets. Business continuity risks focus on maintaining a reliable system with maximum up-time. Outsourcing risks focus on the impact of 3rd party supplier meeting their requirements.[14] External risks are items outside the information system control that impact the security of the system. Strategic risks focuses on the need of information system functions to align with the business strategy that the system supports.[15]

Revision 2 updates Edit

The major objectives for the update to revision 2 included the following:[16]

  • Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • Demonstrate how the NIST Cybersecurity Framework[17] can be aligned with the RMF and implemented using established NIST risk management processes;
  • Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
  • Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1,[18] with the relevant tasks in the RMF;
  • Integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53 Revision 5.[19]

Revision 2 also added a new "Prepare" step in position zero to achieve more effective, efficient, and cost-effective security and privacy risk management processes.[16]

See also Edit

References Edit

  1. ^ a b Guide for Applying the Risk Management Framework to Federal Information Systems
  2. ^ a b c Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations". {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ a b c Force, Joint Task (2018-12-20). "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". {{cite journal}}: Cite journal requires |journal= (help)
  4. ^ Initiative, Joint Task Force Transformation (2012-09-17). "Guide for Conducting Risk Assessments". {{cite journal}}: Cite journal requires |journal= (help)
  5. ^ a b Dempsey, Kelley; Chawla, Nirali; Johnson, L.; Johnston, Ronald; Jones, Alicia; Orebaugh, Angela; Scholl, Matthew; Stine, Kevin (2011-09-30). "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". {{cite journal}}: Cite journal requires |journal= (help)
  6. ^ a b Stine, Kevin; Kissel, Richard; Barker, William; Fahlsing, Jim; Gulick, Jessica (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories". {{cite journal}}: Cite journal requires |journal= (help)
  7. ^ a b Stine, Kevin; Kissel, Richard; Barker, William; Lee, Annabelle; Fahlsing, Jim (2008-08-01). "Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices". {{cite journal}}: Cite journal requires |journal= (help)
  8. ^ a b Technology, National Institute of Standards and (2004-02-01). "Standards for Security Categorization of Federal Information and Information Systems". {{cite journal}}: Cite journal requires |journal= (help)
  9. ^ a b Technology, National Institute of Standards and (2006-03-01). "Minimum Security Requirements for Federal Information and Information Systems". {{cite journal}}: Cite journal requires |journal= (help)
  10. ^ Initiative, Joint Task Force Transformation (2014-12-18). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans". {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ "govinfo". www.govinfo.gov. Retrieved 2021-07-18.
  12. ^ "Federal Information Security Modernization Act | CISA". www.cisa.gov. Retrieved 2021-07-18.
  13. ^ Carper, Thomas R. (2014-12-18). "Text - S.2521 - 113th Congress (2013-2014): Federal Information Security Modernization Act of 2014". www.congress.gov. Retrieved 2021-07-18.
  14. ^ IT Risk Management Framework for Business Continuity by Change Analysis of Information System
  15. ^ An Empirical Study on the Risk Framework Based on the Enterprise Information System
  16. ^ a b Computer Security Division, Information Technology Laboratory (2018-12-18). "RMF Update: NIST Publishes SP 800-37 Rev. 2 | CSRC". CSRC | NIST. Retrieved 2021-07-26.
  17. ^ nicole.keller@nist.gov (2013-11-12). "Cybersecurity Framework". NIST. Retrieved 2021-07-26.
  18. ^ Ross, Ron; McEvilley, Michael; Oren, Janet (2018-03-21). "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems". {{cite journal}}: Cite journal requires |journal= (help)
  19. ^ Force, Joint Task (2020-12-10). "Security and Privacy Controls for Information Systems and Organizations". {{cite journal}}: Cite journal requires |journal= (help)

External links Edit

  • NIST Special Publication 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems
  • Risk Management Framework Overview
  • RMF Control Indexer
  • Guide for Mapping Types of Information and Information Systems to Security Categories

October 26, 2023
risk, management, framework, national, institute, standards, technology, nist, united, states, federal, government, guideline, standard, process, risk, management, help, secure, information, systems, computers, networks, developed, national, institute, standar. The National Institute for Standards and Technology s NIST Risk Management Framework RMF is a United States federal government guideline standard and process for risk management to help secure information systems computers and networks developed by National Institute of Standards and Technology The Risk Management Framework RMF illustrated in the diagram to the right provides a disciplined and structured process that integrates information security privacy and risk management activities into the system development life cycle 1 2 Risk Management Framework RMF Rev 2 seven step process Contents 1 Overview 2 History 3 Risks 4 Revision 2 updates 5 See also 6 References 7 External linksOverview EditThe main document that describes the details of RMF is NIST Special Publication 800 37 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy 3 This is the second revision of this document and supersedes the first revision Guide for Applying the Risk Management Framework to Federal Information Systems 1 The various steps of the RMF link to several other NIST standards and guidelines including NIST Special Publication 800 53 Security and Privacy Controls for Information Systems and Organizations The RMF steps include Prepare to execute the RMF by establishing a context and priorities for managing security and privacy risk at organizational and system levels 4 5 Categorize the information system and the information processed stored and transmitted by that system based on an impact analysis 6 7 8 Select an initial set of baseline security controls for the information system based on the security categorization tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions If any overlays apply to the system they will be added in this step 2 9 Implement the security controls identified in step 2 2 Assess a third party assesses the controls and verifies that the controls are properly applied to the system 10 Authorize the information system is granted or denied an Authorization to Operate ATO in some cases it may be postponed while certain items are fixed The ATO is based on the report from the Assessment phase ATO is typically granted up to 3 years and the process needs to be repeated at the end of the period 3 Monitor the security controls in the information system continuously in a pre planned fashion as documented earlier in the process 5 History EditThe E Government Act of 2002 Public Law 107 347 entitled FISMA 2002 Federal Information Security Management Act was a law passed in 2002 to protect the economic and national security interests of the United States related to information security 11 Congress later passed FISMA 2014 Federal Information Security Modernization Act to provide improvements over FISMA 2002 by Codifying Department of Homeland Security DHS authority to administer the implementation of information security policies for non national security federal Executive Branch systems including providing technical assistance and deploying technologies to such systems Amending and clarifying the Office of Management and Budget s OMB oversight authority over federal agency information security practices and by Requiring OMB to amend or revise OMB A 130 to eliminate inefficient and wasteful reporting 12 FISMA required the protecting information and information systems from unauthorized access use disclosure disruption modification or destruction in order to provide Confidentiality Integrity and Availability 13 Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines including the development of Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels This task was satisfied by FIPS Publication 199 8 Guidelines recommending the types of information and information systems to be included in each category This task was satisfied by NIST Special Publication 800 60 Volumes 1 and 2 6 7 and Minimum information security requirements i e management operational and technical controls for information and information systems in each such category This task was satisfied by the development of FIPS Publication 200 9 NIST 800 37 Risk Management Framework or RMF was developed to help organizations manage security and privacy risk and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 FISMA the Privacy Act of 1974 OMB policies and Federal Information Processing Standards among other laws regulations and policies 3 Risks EditDuring its lifecycle an information system will encounter many types of risk that affect the overall security posture of the system and the security controls that must be implemented The RMF process supports early detection and resolution of risks Risk can be categorized at high level as infrastructure risks project risks application risks information asset risks business continuity risks outsourcing risks external risks and strategic risks Infrastructure risks focus on the reliability of computers and networking equipment Project risks focus on budget timeline and system quality Application risks focus on performance and overall system capacity Information asset risks focus on the damage loss or disclosure to an unauthorized part of information assets Business continuity risks focus on maintaining a reliable system with maximum up time Outsourcing risks focus on the impact of 3rd party supplier meeting their requirements 14 External risks are items outside the information system control that impact the security of the system Strategic risks focuses on the need of information system functions to align with the business strategy that the system supports 15 Revision 2 updates EditThe major objectives for the update to revision 2 included the following 16 Provide closer linkage and communication between the risk management processes and activities at the C suite or governance level of the organization and the individuals processes and activities at the system and operational level of the organization Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective efficient and cost effective execution of the RMF Demonstrate how the NIST Cybersecurity Framework 17 can be aligned with the RMF and implemented using established NIST risk management processes Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible Promote the development of trustworthy secure software and systems by aligning life cycle based systems engineering processes in NIST SP 800 160 Volume 1 18 with the relevant tasks in the RMF Integrate security related supply chain risk management SCRM concepts into the RMF to address untrustworthy suppliers insertion of counterfeits tampering unauthorized production theft insertion of malicious code and poor manufacturing and development practices throughout the SDLC and Allow for an organization generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800 53 Revision 5 19 Revision 2 also added a new Prepare step in position zero to achieve more effective efficient and cost effective security and privacy risk management processes 16 See also EditDepartment of Defense Information Assurance Certification and Accreditation Process DIACAP predecessor to RMF Zero Trust Architecture NIST Cybersecurity Framework Cyber Risk QuantificationReferences Edit a b Guide for Applying the Risk Management Framework to Federal Information Systems a b c Force Joint Task 2020 12 10 Security and Privacy Controls for Information Systems and Organizations a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b c Force Joint Task 2018 12 20 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Initiative Joint Task Force Transformation 2012 09 17 Guide for Conducting Risk Assessments a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b Dempsey Kelley Chawla Nirali Johnson L Johnston Ronald Jones Alicia Orebaugh Angela Scholl Matthew Stine Kevin 2011 09 30 Information Security Continuous Monitoring ISCM for Federal Information Systems and Organizations a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b Stine Kevin Kissel Richard Barker William Fahlsing Jim Gulick Jessica 2008 08 01 Guide for Mapping Types of Information and Information Systems to Security Categories a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b Stine Kevin Kissel Richard Barker William Lee Annabelle Fahlsing Jim 2008 08 01 Guide for Mapping Types of Information and Information Systems to Security Categories Appendices a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b Technology National Institute of Standards and 2004 02 01 Standards for Security Categorization of Federal Information and Information Systems a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help a b Technology National Institute of Standards and 2006 03 01 Minimum Security Requirements for Federal Information and Information Systems a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Initiative Joint Task Force Transformation 2014 12 18 Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help govinfo www govinfo gov Retrieved 2021 07 18 Federal Information Security Modernization Act CISA www cisa gov Retrieved 2021 07 18 Carper Thomas R 2014 12 18 Text S 2521 113th Congress 2013 2014 Federal Information Security Modernization Act of 2014 www congress gov Retrieved 2021 07 18 IT Risk Management Framework for Business Continuity by Change Analysis of Information System An Empirical Study on the Risk Framework Based on the Enterprise Information System a b Computer Security Division Information Technology Laboratory 2018 12 18 RMF Update NIST Publishes SP 800 37 Rev 2 CSRC CSRC NIST Retrieved 2021 07 26 nicole keller nist gov 2013 11 12 Cybersecurity Framework NIST Retrieved 2021 07 26 Ross Ron McEvilley Michael Oren Janet 2018 03 21 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Force Joint Task 2020 12 10 Security and Privacy Controls for Information Systems and Organizations a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help External links EditNIST Special Publication 800 37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems Risk Management Framework Overview RMF Control Indexer Guide for Mapping Types of Information and Information Systems to Security Categories Retrieved from https en wikipedia org w index php title Risk Management Framework amp oldid 1177214833, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.