Loading...

NIST Special Publication 800-37, the Risk Management Framework (RMF)

  • RMF Alignments

    • Privacy Integration into the RMF

      • Addresses privacy risk management in accordance with Office of Management and Budget (OMB) Circular A-130

      • Privacy and RMF addressed in Section 2.3 – Information Security and Privacy in the RMF

      • Privacy called out in RMF task text as appropriate (e.g., Task P-3 is to assess security and privacy risk)

      • Privacy-specific Inputs, Outputs, Roles, and References specified as appropriate in tasks

      • Privacy-specific detail in task discussions

    • RMF and Cybersecurity Framework Alignment

      • Inputs and Outputs reference CSF, as applicable (e.g., CSF profile as potential output from Task P-4)

      • Task Outcome tables reference CSF sections, categories, or sub-categories as applicable

      • References for tasks indicate relevant CSF sections (if applicable)

    • Systems Security Engineering and RMF Alignment

      • Systems security engineering addresses security risks throughout the system development life cycle (and system life cycle)

      • Alignment of RMF steps/tasks with existing systems security engineering processes

      • Task references list the related systems security engineering processes from NIST SP 800-160, Volume 1, Engineering Trustworthy Secure Systems, as applicable

      • New Tasks in the Prepare System-Level Step to align with system security engineering processes

        • P-9: System stakeholders

        • P-10: Asset identification

        • P-15: Requirements definition

        • P-17: Requirements allocation

    • Supply Chain and RMF Alignment

      • Discussion of Supply Chain Risk Management (SCRM) within the RMF added in section 2.8 – Supply Chain Risk Management

      • SCRM addressed in Task discussions as applicable

      • SCRM artifacts included in task Inputs and Outputs as applicable

      • SCRM responsibilities noted in Appendix D

    • Incorporating RMF into the SDLC

      • Each task in NIST SP 800-37 (RMF) describes the primary responsibility (role) and supporting roles associated with the task and the phase of the SDLC where task execution occurs

  • Security and Privacy in the RMF

    • NIST Privacy Risk Assessment Methodology (PRAM)

      • The PRAM is a NIST-developed tool that applies the risk model from NISTIR 8062 and helps organizations analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions

      • The PRAM helps drive collaboration and communication between various components of an organization, including privacy, cybersecurity, business, and IT personnel

      • Once the organization has determined which risks to mitigate, the organization can refine the privacy and security requirements and then select and implement controls (i.e., technical and/or policy safeguards) to meet the defined requirements

  • RMF Fundamentals

    • Organization-Wide Risk Management

      • comprehensive process

        • Frame Risk

          • Establish a risk context by describing the environment in which risk-based decisions are made and produce a risk management strategy

        • Assess Risk

          • Identify threat sources and vulnerabilities to the organization, potential mission/business impact, likelihood and uncertainty of occurrence

        • Respond to Risk

          • Provide consistent organization-wide response to risk by developing and evaluating alternative courses of action, determining appropriate course of action and implementing the risk response

        • Monitor Risk

          • Verify planned risk response measures are implemented, determine ongoing effectiveness of risk response, and how risk is monitored over time

  • System and System Elements

    • System and Relational View of the System

      • Applied to systems-of-interest, not individual system elements

      • Diagram illustrates the conceptual view of the system-of-interest

  • Authorization Boundaries

    • Determination of Authorization Boundary Considerations

    • Boundaries for Complex Systems and External Providers

  • Authorization Types and Decisions

    • Authorization Types

      • Initial Authorization

        • Initial (start-up) risk determination and risk acceptance

        • Based on a complete, zero-based review of the system or of common controls

        • Zero-based review includes:

          • Assessment of all implemented system-level controls

          • Review of the security status of inherited common controls specified in security and privacy plans

        • Zero-based review of system does not require zero-based review of common controls available and inherited by system

        • Common control zero-based review includes:

          • Assessment of any controls that contribute to the provision of a common control or set of common controls

      • Ongoing Authorization

        • Subsequent (follow-on) risk determinations and risk acceptance decisions

        • Occurs at agreed-upon and documented frequencies (time-driven) and when organization-defined thresholds are exceeded (event-driven)

        • Conducted with a similar level of effort as the initial authorization and may be:

          • A complete, zero-based assessment; or

          • A targeted assessment based on the type of event that triggered the reauthorization action

      • Reauthorization

        • Static, single point-in-time risk determination and risk acceptance that occurs after the initial authorization

        • May be time-driven or event-driven

        • Separate activity from ongoing authorization

        • Conducted with a similar level of effort as the initial authorization and may be:

          • Complete, zero-based assessment; or

          • Targeted assessment based on the type of event that triggered the reauthorization action

        • Reauthorization actions may lead to a review of the ISCM strategy which could affect ongoing authorization

    • Authorization Decisions

      • 4 Types Authorization Decision by Authorizing Officials 

        • Authorization to Operate

          • Issued by the Authorizing Official after determining that the risk to organizational operations, assets, individuals, other organizations, and the Nation is acceptable

          • An authorization termination date is specified or, if under ongoing authorization, a time-driven authorization frequency is specified

          • Authorizing Official may include operating restrictions as part of the authorization to operate

        • Common Control Authorization

          • Similar to authorization to operate for a system, but issued for common controls

          • Common control authorization termination date is specified or, if under ongoing authorization, a time-driven authorization frequency is specified

          • Common controls implemented as part of a system do not require a separate common control authorization

        • Authorization to Use

          • Employed when an organization (customer organization), after reviewing an existing authorization package, accepts the authorization to operate (ATO) issued by an authorizing official (AO) from another federal entity (provider organization)

          • Issued by an official (customer organization) with the same level of responsibility and authority for risk management as an AO that issues an ATO (provider organization)

          • Indicates acceptance of risk by the customer organization with respect to customer’s information

          • Remains in effect as long as the customer organization continues to accept the risk as indicated in provider organization’s authorization package

        • Denial of Authorization

          • Authorizing official denies authorization to operate, common control authorization, or authorization to use when existing risk is determined to be unacceptable

          • Denial of authorization indicates that there are significant deficiencies in controls

            • Risk is not managed in accordance with organizational risk management strategy and risk tolerance

            • Required controls are not implemented

            • Implemented controls are not operating as intended

    • Type Authorization

      • Single authorization for a common version of a system

      • Utilized when system comprised of identical instances of architecture, software, information types

      • Often used in conjunction with a facility authorization

    • Facility Authorization

      • Authorizes common controls provided in a specific environment of operation

      • Provided at a specified impact level

    • Traditional Authorization

      • Single organizational official in a senior leadership position is responsible and accountable for a system or for common controls

    • Joint Authorization

      • Multiple organizational officials either from the same organization or different organizations, have a shared interest in authorizing a system

  • Requirements and Controls

    • Requirements definition

    • Controls definition

  • Risk Management Framework Steps, Tasks and Structure

    • Steps

      • 7 essential execution Steps of the RMF

        • Prepare

          • Purpose

            • Carry out essential activities at all three risk management levels to help prepare the organization to manage its security and privacy risks using the RMF

          • Organization and Mission/Business Process Level Tasks (NEW)

            • P-1: Risk Management Roles

              • Identify and assign individuals to specific roles associated with security and privacy risk management

            • P-2: Risk Management Strategy

              • Establish a risk management strategy for the organization that includes a determination of risk tolerance

            • P-3: Risk Assessment - Organization

              • Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis

            • P-4: Organizationally-tailored Control Baselines and CSF Profiles (optional)

              • Establish, document, and publish organizationally-tailored control baselines and/or cybersecurity framework profiles

            • P-5: Common Control Identification

              • Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems

            • P-6: Impact Level Prioritization (optional)

              • Prioritize organizational systems within the same impact level

            • P-7: Continuous Monitoring Strategy - Organization

              • Develop and implement an organization-wide strategy for continuously monitoring control effectiveness

          • System Level Tasks (NEW)

            • P-8: Mission or Business Focus

              • Identify the missions, business functions, and mission/business processes that the system is intended to support

            • P-9: System Stakeholders

              • Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system

            • P-10: Asset Identification

              • Identify assets that require protection

            • P-11: Authorization Boundary

              • Determine the authorization boundary of the system

            • P-12: Information Types

              • Identify the types of information to be processed, stored, or transmitted by the system

            • P-13: Information Life Cycle

              • Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system

            • P-14: Risk Assessment - System

              • Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis

            • P-15: Requirements Definition

              • Define the security and privacy requirements for the system and the environment of operation

            • P-16: Enterprise Architecture

              • Determine the placement of the system within the enterprise architecture

            • P-17: Requirements Allocation

              • Allocate security and privacy requirements to the system and to the environment of operation

            • P-18: System Registration

              • Register the system with organizational program or management offices

          • Supporting Publications

            • NIST SP 800-30, Guide for Conducting Risk Assessments

            • NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

            • NIST SP 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations

            • NIST SP 800-60, Volume 1, Guide for Mapping Types of Information and Information Systems to Security Categories

            • NIST SP 800-60, Volume 2, Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices

            • NIST SP 800-160, Volume 1, Engineering Trustworthy Secure Systems

            • NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations

            • NIST IR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

            • NIST IR 8179, Criticality Analysis Process Model: Prioritizing Systems and Components

        • Categorize

          • Purpose

            • Inform organizational risk management processes and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization

          • Tasks

            • C-1: System Description

              • Document the characteristics of the system

            • C-2: Security Categorization

              • Categorize the system and document the security categorization results

            • C-3: Security Categorization Review and Approval (NEW)

              • Review and approve the security categorization results and decision

          • Supporting Publications

            • FIPS 199, Standards for Security Categorization of Federal Information and Systems

            • NIST SP 800-60, Volume 1, Guide for Mapping Types of Information and Information Systems to Security Categories

            • NIST SP 800-60, Volume 2, Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices

            • NIST SP 800-18, Guide for Developing System Security Plans for Federal Systems

        • Select

          • Purpose

            • Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk to organizational operations and assets, individuals, and the Nation.

          • Tasks

            • S-1: Control Selection

              • Select the controls for the system and environment of operation

            • S-2: Control Tailoring (NEW)

              • Tailor the controls selected for the system and environment of operation

            • S-3: Control Allocation (REVISED)

              • Allocate security and privacy controls to the system and to the environment of operation

            • S-4: Document Planned Control Implementations (NEW)

              • Document the controls for the system and environment of operation in security and privacy plans

            • S-5: Continuous Monitoring Strategy – System (REVISED)

              • Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy

            • S-6: Plan Review and Approval

              • Review and approve the security and privacy plans for the system and environment of operation

          • Supporting Publications

            • FIPS 200, Minimum Security Requirements for Federal Information and Systems

            • NIST SP 800-53, Security and Privacy Controls for Federal Systems and Organizations

            • NIST SP 800-53B, Security and Privacy Controls for Federal Information Systems and Organizations

        • Implement

          • Purpose

            • Accomplish the activities necessary to translate the security and privacy controls identified in the system security plan into an effective implementation

          • Tasks

            • I-1: Control Implementation

              • Implement the controls as specified in security and privacy plans

            • I-2: Update Control Implementation Information​ (REVISED)

              • Document changes to planned control implementations based on the as-implemented state of the controls​

          • Supporting Publications

            • NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems

            • NIST SP 800-34, Contingency Planning Guide for Federal Information Systems

            • NIST SP 800-61, Computer Security Incident Handling Guide

            • NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response

        • Assess

          • Purpose

            • Determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization

          • Tasks

            • A-1: Assessor Selection (NEW)

              • Select the appropriate assessor or assessment team for the type of control assessment to be conducted

            • A-2: Assessment Plan

              • Develop, review, and approve plans to assess implemented controls

            • A-3: Control Assessments (MOVED)

              • Assess the security controls in accordance with the assessment procedures defined in the security assessment plan

            • A-4: Assessment Reports

              • Prepare the assessment reports documenting the findings and recommendations from the control assessments

            • A-5: Remediation Actions

              • Conduct initial remediation actions on the controls and reassess remediated controls

            • A-6: Plan of Action and Milestones (MOVED)

              • Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports

          • Supporting Publications

            • NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Systems and Organizations: Building Effective Security Assessment Plans

            • NIST IR 8011, Automation Support for Ongoing Assessment (Multiple Volumes)

        • Authorize

          • Purpose

            • Provide accountability by requiring a senior management official to determine if the security and privacy risk to organizational operations and assets, individuals, other organizations, or the Nation of operating a system or the use of common controls, is acceptable

          • Tasks

            • R-1: Authorization Package

              • Assemble the authorization package and submit the package to the authorizing official for an authorization decision

            • R-2: Risk Analysis and Determination (REVISED)

              • Analyze and determine the risk from the operation or use of the system or the provision of common controls

            • R-3: Risk Response (NEW)

              • Identify and implement a preferred course of action in response to the risk determined

            • R-4: Authorization Decision (NEW)

              • Determine if the risk from the operation or use of the system or the provision or use of common controls is acceptable

            • R-5: Authorization Reporting

              • Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk

          • Supporting Publications

            • No Additional  Publication

        • Monitor

          • Purpose

            • Maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions

          • Tasks

            • M-1: System and Environment Changes

              • Monitor the system and its environment of operation for changes that impact the security and privacy posture of the system

            • M-2: Ongoing Assessments

              • Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy

            • M-3: Ongoing Risk Response

              • Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones

            • M-4: Authorization Package Updates

              • Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process

            • M-5: Security and Privacy Reporting

              • Report the security status of the system (including the effectiveness of security controls employed within and inherited by the system) to appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy

            • M-6: Ongoing Authorization

              • Review the reported security status of the system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable

            • M-7: System Disposal

              • Implement a system decommissioning strategy which executes required actions when a system is removed from service

          • Supporting Publications

            • NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations

            • NIST SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

            • NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Systems and Organizations: Building Effective Security Assessment Plans

            • NIST IR 8011, Automation Support for Ongoing Assessment (Multiple Volumes)

            • NIST IR 8212, ISCMA: An Information Security Continuous Monitoring Program Assessment (and reference implementation to conduct ISCM Program Assessment)

    • Tasks

      • Task Section

      • Potential Inputs

      • Expected Outputs

      • Primary Responsibility Section

      • Supporting Roles Section

      • SDLC Phase Section

      • Discussion Section

      • References Section

  • Supply Chain Risk Management

  • Risk Management Roles and Responsibilities

    • Authorizing Official

    • Authorizing Official Designated Representative

    • C-Suite Officials (e.g., Chief Acquisition Officer, Chief Information Officer, Head of Agency)

    • Common Control Provider

    • Control Assessor

    • Enterprise Architect

    • Information Owner or Steward

    • Risk Executive (Function)

    • Security or Privacy Architect

    • Senior Accountable Official for Risk Management

    • Senior Agency Information Security Officer

    • Senior Agency Official for Privacy

    • System Owner

    • System Security or Privacy Officer

    • System Security or Privacy Engineer

  • Security and Privacy Posture

    • Represents the status of systems, information resources, and information technology capabilities within an organization based on information assurance resources (e.g., personnel, equipment, funds, hardware, software, policies, procedures)

    • Determined on an ongoing basis by assessing and continuously monitoring system-specific, hybrid, and common controls

    • Utilized by authorizing officials to determine if the risk to organizational operations and assets, individuals, other organizations, or the Nation are acceptable based on the organization’s risk management strategy and organizational risk tolerance