What is the NIST Risk Management Framework (NIST RMF)?

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
What are the NIST RMF Steps?
Overview
Overview of the RMF seven-step process:
- Prepare – Essential activities to prepare the organization to manage security and privacy risks
- Categorize – Categorize the system and information processed, stored, and transmitted based on an impact analysis
- Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
- Implement – Implement the controls and document how controls are deployed
- Assess – Assess to determine if the controls are in place, operating as intended, and producing the desired results
- Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
- Monitor – Continuously monitor control implementation and risks to the system
Step 1: Prepare
This step was an addition to the Risk Management Framework in Revision 2. Tasks in the Prepare step are meant to support the rest of the steps of the framework. The step is mainly comprised of guidance from other NIST publications, requirements as set by the Office of Management and Budget (OMB) policy, or a combination of the two. In some cases, Organizations may find they have implemented some of the tasks from the Prepare step as part of their risk management program. The purpose of this step was to “reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.”
Outcomes:
- key risk management roles identified
- organizational risk management strategy established, risk tolerance determined
- organization-wide risk assessment
- organization-wide strategy for continuous monitoring developed and implemented
- common controls identified
See the RMF Quick Start guide on Prepare for more details.
References for Step 1: Prepare: NIST Special Publications 800-30, 800-39, 800-18, 800-160 Volume 1, NISTIR 8062
Step 2: Categorize Information Systems
This step is all administrative and involves gaining an understanding of the organization. Prior to categorizing a system, the system boundary should be defined. Based on that system boundary, all information types associated with the system can and should be identified. Information about the organization and its mission, its roles, and responsibilities as well as the system’s operating environment, intended use, and connections with other systems may affect the final security impact level determined for the information system.
Outcomes:
- system characteristics documented
- security categorization of the system and information completed
- categorization decision reviewed/approved by authorizing official
See the Categorize Step Quick Start Guide for more details.
References for Step 2: Categorize: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60 Volume 1 and Volume 2; CNSS Instruction 1253.
Step 3: Select Security Controls
Security controls are the management, operational and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity, and availability of the system and its information. Assurance boosts confidence in the fact that the security controls implemented within an information system are effective in their application.
Outcomes:
- control baselines selected and tailored
- controls designated as system-specific, hybrid, or common
- controls allocated to specific system components
- system-level continuous monitoring strategy developed
- security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved
See the Select Step Quick Start Guide for more details.
References for Step 3: Select: FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53, 800-53B; CNSS Instruction 1253.
Step 4: Implement Security Controls
The Implement step requires an organization to implement security controls and describe how the controls are employed within the information system and its environment of operation. Policies should be tailored to each device to align with the required security documentation.
Outcomes:
- controls specified in security and privacy plans implemented
- security and privacy plans updated to reflect controls as implemented
See the Implement Step Quick Start Guide for more details.
References for Step 4: Implement: FIPS Publication 200; NIST Special Publications 800-34, 800-61, 800-128; CNSS Instruction 1253; Web: SCAP.NIST.GOV.
Step 5: Assess Security Controls
Assessing the security controls requires using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Outcomes:
- assessor/assessment team selected
- security and privacy assessment plans developed
- assessment plans are reviewed and approved
- control assessments conducted in accordance with assessment plans
- security and privacy assessment reports developed
- remediation actions to address deficiencies in controls are taken
- security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
- plan of action and milestones developed
See the Assess Step Quick Start Guide for more details.
References for Step 5: Assess: NIST Special Publication 800-53A, NISTIR 8011.
Step 6: Authorize Information System
The authorize information system operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations, and the nation resulting from the operation of the information system and the decision that this risk is acceptable. Use reporting is designed to work with POA&M (Plan of Action & Milestones). This provides the tracking and status for any failed controls.
Outcomes:
- authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
- risk determination rendered
- risk responses provided
- authorization for the system or common controls is approved or denied
See the Authorize Step Quick Start Guide for more details.
References for Step 6: Authorize: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-39, 800-53A.
Step 7: Monitor Security Controls
Continuous monitoring programs allow an organization to maintain the security authorization of an information system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies, and mission/business processes. While the use of automated support tools is not required, risk management can become near real-time through the use of automated tools. This will help with configuration drift and other potential security incidents associated with unexpected changes on different core components and their configurations as well as provide ATO (Authorization to Operate) standard reporting.
Outcomes:
- system and environment of operation monitored in accordance with continuous monitoring strategy
- ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
- output of continuous monitoring activities analyzed and responded to
- process in place to report security and privacy posture to management
- ongoing authorizations conducted using results of continuous monitoring activities
See the Monitor Step Quick Start Guide for more details.
References for Step 7: Monitor: NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212.
How Can An Effective Risk Management Framework Benefit A Business?
Though the RMF is a requirement for businesses working with the US Government, implementing an effective risk management system can benefit any company. The ultimate goal of working toward RMF compliance is the creation of a data and asset governance system that will provide full-spectrum protection against all the cyber risks you face.
More specifically, developing a practical risk management framework will provide a company with several specific benefits:
- Asset Protection
- Reputation Management
- IP Protection
- Competitor Analysis
Read more about practical RMF benefits here