U.S. Federal Cybersecurity Compliance Part II

You can find Part I of my U.S. Federal Cybersecurity Compliance blog, here.

NIST 800-37: Risk Management Framework for Information Systems and Organizations

The Risk Management Framework is a standard developed by the National Institute of Standards and Technology (NIST). The RMF acronym is highly used across industry. This framework “[E]mphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC); by maintaining situational awareness of the security and privacy posture of those systems on an ongoing basis through continuous monitoring processes; and by providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use and operation of their systems.”1

The document is comprised of three chapters. Let’s break down each of them, and learn how the RMF can be applied in a real world example.

Chapter 1

Provides an introduction, background and it explains the target audience.

Chapter 2

In Chapter 2 of the publication, you will find a description of concepts that are related to the management of security and privacy risk. The two main highlights you will find in this chapter, and the focus for this write-up are the multi-level approach to risk management and the seven steps and structure of the RMF.

Multi-level Approach to Risk Management

There are three levels described in this chapter:

  1. The organization sits at level one, where the risk perspective is more broad.
  2. The mission and the business process are found at level two.
  3. The information system is at level three, where more detailed and granular risk perspective is expected.

The bidirectional arrow in the chapter’s figure 1, pictured below, indicates that it is essential for all three levels to communicate and report, to ensure the organization addresses any of the identified risks across the entire organization, the business processes and the information system.

Figure 1 of the RMF. Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Figure 1 of the RMF. Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

RMF Steps and Structure

There are seven steps presented in the chapter:

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor.

The chapter provides a detailed description of each of these steps, and it structures them in a way that preparedness is always at the center as part of the process initiation.

It is important to note that all the other steps, except for prepare, do not need to be carried out in sequential order.

Chapter 3

This chapter is all about alignment of the organization’s Software Development Lifecycle (SDLC) with the Risk Management Framework, and it also describes the process for executing the risk management framework tasks in detail.

Real World Application

Consider a healthcare organization implementing the RMF. By categorizing their patient data systems and continuously monitoring them, they can proactively address potential threats, safeguarding sensitive information and maintaining trust with their patients.

Conclusion

The Risk Management Framework (RMF) is not just a theoretical model; it’s a practical tool that, when effectively implemented, can protect your organization from significant risks. By understanding and applying the RMF, you are taking a proactive step towards a more secure and resilient organization.

  1. Taken from the Background section of the Risk Management Framework, rev2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf