Whether you perform risk assessments for clients or your own organization, you know how daunting it can be to define and prioritize the risks you identify. Fortunately, security frameworks exist to help us create a strategy for minimizing or eliminating risks. The NIST (National Institute of Standards and Technology) RMF (Risk Management Framework), while focused on setting security standards that federal agencies must follow, is also popular in the private sector since it contains practical guidance that organizations can use to better protect their people, operations and assets.
In this blog post, I detail the key ideas in the NIST RMF and explain how to start applying the framework in practice in your organization.
NIST RMF: A Risk-Based Process
The NIST RMF is associated with several standards, including the following:
- NIST SP 800-37 — “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle” Since 2004, this guide has helped organizations achieve compliance with the Federal Information Security Management Act (FISMA), a U.S. federal law that requires federal agencies to implement an information security program. The NIST SP 800-37 takes the certification and accreditation process (a traditional way to implement any formal process) and transforms it into the six-step RMF process, which is described in more detail below.
- NIST SP 800-53/800-53a. While the NIST SP 800-37 provides the actual security framework, NIST SP 800-53/800-53a is a set of standards created to help federal agencies meet the requirements set by FISMA. Federal agencies have to follow these standards, but the private sector can — and should — as well. This NIST special publication (NIST SP) provides a comprehensive list of security controls that can be used when implementing the RMF. They include 18 control families and cover virtually every aspect of IT security, from access control to system and services acquisition.
The Key Steps in the NIST RMF Process
1. Categorize Information Systems
The first step of RMF is to determine the types of information stored and processed in your environment, such as medical or financial data, as defined by your organization and/or by law. NIST SP 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories,” can help you with the categorization process and suggests information types to use.
2. Select Security Controls
Next, you select security controls, which are the safeguards you will use to protect the confidentiality, integrity and availability of your systems and information. These will be a combination of administrative, physical and technical controls. Assessing the various controls can be a challenge, and SP 800-53 can help you select the right ones for your organization.
3. Implement Security Controls
Next, you implement the selected security controls and document how they are used in your information security program. While some organizations choose to implement controls using their own staff, it’s not uncommon to outsource controls. For example, it’s becoming popular to engage a managed security service provider (MSSP) to oversee certain controls, such as the organization’s security information and event management (SIEM) processes. Outsourcing security functions can sometimes be cheaper and easier than hiring in-house expertise.
4. Assess Security Controls
In this step, you assess your security controls to determine whether they are implemented correctly, working properly and meeting your security requirements. This is an area where bringing in outside resources will help greatly. For example, by having a third party do regular vulnerability scanning and/or penetration testing, you will have a much clearer picture of your organization’s security posture when viewed through the eyes of attackers.
5. Update Information System Controls
Based on the findings of the control assessment, create an action plan for tracking, reviewing and remediating your weaknesses based on the risk each one poses to the organization. This is another area where teaming up with outside resources can be beneficial. For example, it might make sense to have a third-party security consultancy be part of your information security committee, which would give you an ongoing objective opinion on your controls and help you determine if they are producing the desired outcomes.
6. Monitor Security Controls
The last step is to conduct continuous monitoring of your controls to ensure they satisfy your security requirements as business technologies, threats and vulnerabilities change over time. Automated tools can offer a real advantage, since they can identify potential security incidents and unexpected changes in near real time.
Tips for Getting Started
While the NIST risk management framework provides a great structure that organizations can follow to improve their security posture, it can be a bit overwhelming at first — especially if your company is small or new to information security. These tips will help you get your security program off to a good start:
- Get assessed by someone else first. The NIST guidance is not easy to follow if you’re new to the framework. Consider engaging a third party to conduct your organization’s first risk assessment, clarify the intent of the framework and help you make a game plan for managing your risks.
- Remember that security takes time. At the end of some assessments I’ve done, I’ve had the organization’s leaders get overly excited and proclaim, “We shall not eat or sleep until we remediate each and every one of these risks!” While that’s a lofty goal, remember that security isn’t a checklist, and there’s no way you’re going to fix your security problems in one day. Some risks appear simple on paper to remediate but actually have complex dependencies that mean addressing them can take weeks or months and require the purchase of additional technologies. Take it in stride.
- Start small. You might be overwhelmed by the number of risks identified in your first assessment, and the large mountain of remediation work that is created as a result. Don’t panic. Work with your assessor to prioritize the list, and make sure you get a clear explanation of what the remediation steps are.
- Ask for help. At many of the companies I assess, just one or two people are responsible for the entirety of IT security. As you review your remediation plan, make sure you know your staff’s skill set, and then don’t be afraid to ask third-party IT and security consultancies for help when necessary. They can often fix specific issues quickly and efficiently, leaving your staff focused on their core competencies.
The NIST RMF is a great way to get your organization headed toward a better security posture. It provides a solid, cyclical six-step process that guides you in categorizing your data and selecting, implementing, assessing and monitoring appropriate security controls. As you work on your information security program, remember that good security takes a considerable amount of time and effort. Like life, security is a journey, not a destination.
What is the NIST risk management framework?
The NIST risk management framework is a set of policies and standards to help secure information systems. Although the framework was designed for federal agencies, any organization can integrate it into their systems development lifecycle to help manage risks to their information systems and sensitive data. The framework is detailed in NIST Special Publication 800-37 and is considered a standard for security planning.
What is the purpose of the NIST risk management framework?
The NIST risk management framework provides organizations with consistent and unified approach for addressing security and privacy risks to their operations and assets. It provides a broad view of risks to address and helps organizations prioritize those risks. It also helps organizations comply with regulations such as the Federal Information Security Modernization Act of 2014 (FISMA) and the Privacy Act of 1974.
What steps are in the NIST risk management framework?
The NIST risk management framework includes the following six steps:
- Categorize information and systems by how critical they are.
- Select security controls based on the categorization results.
- Implement the security controls selected in step 2.
- Assess the security controls by determining how effective they are.
- Authorize the information system by examining the risks resulting from the operation of the information system, determining whether those risks are acceptable, and developing a plan for addressing any deficiencies.
- Monitor the security controls for changes and signs of attacks, and regularly reassess the effectiveness of the controls.
What are the benefits of using the NIST risk management framework?
By implementing the NIST risk management framework, organizations can:
- Build repeatable processes to promote information and system protection
- Categorize their information and systems
- Improve their security and privacy posture through continuous monitoring
- Facilitate risk management decisions
- Meet security and privacy requirements