Introduction
The information technology and systems of organizations and nations face many risks, including the disruption or compromise of the confidentiality, integrity, or availability (CIA) of information being processed, stored, or transmitted by these systems. The effectiveness and success of an organization's mission and business functions hinge on safeguarding these systems and the organization’s proprietary information.
In an era of constant cyber threats, system risk is a key part of organizational risk. Senior leadership of every organization must manage broad business risks, including those risks related to the operation and use of systems. Effective risk management across an organization involves integrating information security and privacy into the core culture and structure using a well-orchestrated set of activities.
The Risk Management Framework (RMF), supported by a suite of technical publications developed by the National Institute of Standards and Technology (NIST), provides a structured and flexible approach for managing risk resulting from the incorporation of systems into the mission and business processes of an organization. The RMF is one of the risk frameworks that has shown wide spread success and acceptance. And while it is showing its age, it nonetheless is the basis for a lot of modern information security practice.
The RMF is described in three core interrelated Special Publications (note that there are other key publications specific to individual steps of the RMF):
SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations
SP 800-39, Managing Information Security Risk
SP 800-30, Revision 1, Guide for Conducting Risk Assessments
The framework incorporates the key elements of risk management with which business leaders should be acquainted, and security professionals should practice.
Background
Special Publication (SP) 800-37 was original developed by NIST in 2004 to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA). In partnership with the Department of Device (DOD), the Intelligence Community (IC), and the Committee on National Security Systems (CNSS), NIST formed the Joint Task Force (JTF) to develop a unified framework for the defense, intelligence and private sector communities. This unified framework continues to serve as a common strategy to protect both critical federal and civilian information systems and associated infrastructure.
In 2010, NIST issued SP 800-37, revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach" as a JTF publication. The publication evolved with revision 2, released in December, 2018. In terms of technological change, that was a lifetime ago, however, in the spirit of optimism, we’ll celebrate some important changes between the two revisions:
New guidance addresses and includes:
Alignment and integration of supply chain, privacy, Cybersecurity Framework (CSF), and security engineering processes into the RMF
Guidance on how RMF is implemented in the system development life cycle (SDLC)
Addition of the organization-level and system-level Prepare step
Potential inputs and expected outputs for all RMF tasks
Closer linkage between C-Suite/Governance-level to system/operational-level to facilitate better communication
Updated and expanded guidance on:
Authorization boundaries
Authorization decisions and types
Ongoing authorization
Roles and responsibilities
Purpose
The stated purpose of SP 800-37 according to NIST:
Promote an organization-wide risk management process to include privacy and information security risk, and to ensure that managing system risk is consistent with mission/business objectives and the overall risk strategy established by the senior leadership through the risk executive function.
Manage privacy and information security risk consistent with mission/business objectives and the overall risk strategy. To ensure that security and privacy requirements, including necessary controls, are integrated into the organization's enterprise architecture and system development life cycle processes.
Ensure consistent risk posture throughout the organization, and to achieve more secure information and systems through the implementation of appropriate risk response strategies.
Establish who is accepting risk for the system and the organization, and to establish responsibility and accountability for the security and privacy of organization systems, information, and environments of operation.
Provide senior leaders the necessary information to make credible, risk-based decisions with regard to the security and privacy of systems supporting organizational mission and business functions.
Components / Steps
The RMF outlines a seven-step process (see figure 1) outlined below. It’s important to note that the process is never ending, because systems are constantly changing and evolving, and each change should be reviewed in light of the RMF process.
Step 1 - Prepare: The initial phase involves aligning top executives and senior leaders, encompassing both strategic and operational tiers, across the organization. This step ensures consensus on roles, priorities, limitations, and acceptable levels of risk. A crucial task in this preparatory stage is carrying out an organizational risk assessment which serves as a shared reference point, facilitating discussions about strategic risks among the entire team. A significant result of this evaluation is pinpointing high-value assets, which will become the central focus of the entire effort.
Tasks in the Prepare step are meant to support the rest of the steps of the framework, and are mainly comprised of guidance from other NIST publications, requirements as set by the Office of Management and Budget (OMB) policy, or a combination of the two. The purpose of this step is to "reduce complexity as organizations implement the RMF, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals."
Step 2 - Categorize: The next step is to categorize systems based on criticality and sensitivity of the information stored, processed, or transmitted by those systems. The idea is to create system categories based on their importance, so that organizational defensive resources can be prioritize. NIST Special Publication 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories," plays a crucial role in the risk management process, particularly in applying sensitivity and criticality to the CIA objectives of information systems. All US government agencies are required to use these guidelines.
SP 800-60 uses a categorization method called the “high water mark” which rates each security objective (again, meaning confidentiality, integrity, and availability) as low, moderate, or high impact, and uses the highest security category of the objectives to determine the overall system rating. In other words, a low-impact system is defined as a system in which all three of the security objectives are low. A moderate-impact system is one in which at least one objectives is moderate, and none are greater than moderate. A high-impact system is a system in which at least one security objective is high.
Sensitivity and Criticality in Context of CIA Objectives:
Confidentiality: Sensitivity primarily influences the confidentiality aspect. Information sensitivity refers to the potential harm that could result from unauthorized disclosure. SP 800-60 guides organizations in categorizing information and systems based on the adverse impact levels (low, moderate, high) if confidentiality is compromised.
Integrity: This relates to the accuracy, authenticity, and reliability of information. The criticality of information plays a significant role here. SP 800-60 assists in determining how the integrity of different types of information and systems impacts an organization's mission, functions, image, or reputation.
Availability: The availability objective is significantly influenced by the criticality of the information system. SP 800-60 provides guidance on assessing the impact levels if systems are disrupted or unavailable, ensuring organizations understand the consequences of system downtime or data inaccessibility.
Prior to categorizing a system, the system boundary should be defined, and based on that boundary, all information types associated with the system should be identified. Information about the organization and its mission, its roles and responsibilities as well as the system’s operating environment, intended use and connections with other systems may affect the final security impact level determined for the information system.
Step 3 - Select security controls: Once your systems have been categorized, you need to select controls to be used to protect them. Remember that security controls are the management, operational and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity and availability of the system and its information. The NIST RMF defines three types of security controls:
Common: a control that applies to multiple systems, and is not part of any one of those systems. A web application firewall (WAF) that filters and monitors traffic between a web app and the Internet is an example.
System-specific: a control that is implemented within a system and provides protection only for that system.
Hybrid: a combination of the above two as a catch-all category. An example might be an emergency power supply that is provided separately, as an additional control for a critical system, even though emergency power is provided as a common control at the facility level.
Note that NIST SP 800-53 specifies controls to mitigate risks to acceptable levels.
Step 4 - Implement: Now that you’ve categorized systems, and selected appropriate security controls to mitigate risks, they must be implemented. This step requires an organization not only implement security controls, but just as importantly, describe or document how the controls are employed within the information system and its environment of operation. Documentation of implemented controls is important, as it keeps a record of what was deployed to which systems, and why, and also supports integration of the controls into the overall assessment and monitoring plan. Policies should be tailored to each device to align with the required security documentation.
Step 5 - Assess Security Controls: Security controls that are implemented need to be assessed to ensure they are meeting the goals of risk remediation. A competent and independent assessor should be identified and tasked to determine if the controls are in place, operating as intended, and producing the desired results.
Step 6 - Authorize: At this stage, the results of the risk and controls assessment is presented to senior management, who make a risk-based decision to authorize the system to operate. Authorization of the information system operation is based on a determination of the risk to organizational individuals, assets, and other systems. This normally requires a review of the plan of action addressing any unmitigated risk. Authorization is often given for a set period of time as specified in a plan of action and milestones or POAM.
Step 7 - Monitor: Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies and mission/business processes. While the use of automated support tools isn’t required, risk management can become near real-time through the use of automated tools, helping to contain configuration drift and other potential security incidents associated with unexpected changes on different core components and their configurations. Automated tools can also provide ATO (Authorization to Operate) standard reporting.
Conclusion
Risk related to the operation of information systems needs to be managed as part of the broader organizational risk management strategy. Effective risk management across an organization involves integrating information security and privacy into the core culture and structure. To achieve this, a well-orchestrated set of activities is necessary to ensure that essential information security and privacy needs are incorporated into the organization's standard management and operational practices.
The NIST RMF, supported by a suite of associated technical publications, provides a structured and flexible approach for managing risk resulting from the incorporation of systems into the mission and business processes of an organization. Even though the RMF is geared for government and showing its age, it remains the basis for a lot of modern information security practice, and is worth reviewing and incorporating into private sector organizational risk management.