The National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) is the standard guideline for information security and assurance protocols for government and commercial tech organizations alike. NIST RMF compliance is required for all entities and organizations handling federal data and information. This article will cover the basics of NIST RMF.
What is NIST RMF?
NIST RMF is a framework of guidelines and over 1000 security controls designed to provide a standard, comprehensive, risk-based, and flexible approach to information security and privacy for organizations and information systems. It was developed with government systems and information in mind, but it has been adopted as the general standard for information security and privacy.
The NIST RMF strategy involves shifting security, privacy, and supply chain risk management to the beginning of the information system development life cycle. Ensuring that security is an integral part of all components and processes involved in enterprise architecture and information systems allows security teams to optimize security and privacy from an organization-wide level.
The Fundamentals of NIST RMF
Integrated Organization-Wide Risk Management
The tiered risk management approach works top-down and bottom-up, with tier I as the governance level, tier II as the information and information flow level, and tier III as the environment of operation level. These tiers correspond to the organization, mission/business process, and information system respectively. This model also represents a spectrum ranging from strategic to tactical, where tier I is the most strategic and tier III is the most tactical.
System Development Life Cycle
NIST RMF holds that all information systems are in some stage of the development life cycle at any given point in time, and security is integrated into all of these stages.
- Initiation — The need for a system, its purpose, and requirements are expressed and documented.
- Acquisition/Development — The system is designed and developed, purchased, or procured by any other means. Risk assessments are conducted, security plans are made, and security controls are selected.
- Implementation/Assessment — The system is tested, after which it can obtain an Authority to Operate (ATO) and be installed or fielded.
- Operations/Maintenance — The system is actively working and achieving its stated objectives, meanwhile maintenance activities such as hardware and software updates are performed as needed.
- Disposal — When the system is ready to be replaced, its disposal must be handled carefully to prevent the unauthorized disclosure of sensitive data, and other compromising information or system artifacts. The system’s documentation and the data it generated often remains relevant for future systems and risk management activities, so preserving and archiving it is a NIST advised practice.
Systems more often evolve with the next generation of technology, as opposed to total disposal. Systems also need defined perimeters or boundaries to be properly managed.
Information System Boundaries
The boundaries of an information system are the greatest degree that a person or application can reach in the information system to ensure the safety of its security and components. System boundaries also encompass the people and processes as described in the tiered risk management model. These boundaries need to be well thought out to increase efficiency and cost effectiveness according to NIST. Systems are usually made of many subsystems and rely on support systems as well. NIST recommends having a set of common controls across the subsystems that may make up the main system.
Advancements in technology can change the boundaries of information systems as well. Subsystems that are not present for the full life cycle of the main system are called dynamic subsystems. External subsystems are those that are outside of the full control of the organization that owns the main system. These types of subsystems are not new, but have become more prevalent in internet-centric architectures made possible by cloud computing.
Security Control Allocation
There are three defined types of security controls organizations can allocation to systems:
- system-specific controls — Controls that are applicable to one particular system.
- common controls — Controls that are applicable across all systems.
- hybrid controls — Controls that have both system-specific and common characteristics.
Common controls are preferred by NIST when appropriate because they create unity and replicability in the security plan and security reporting.
The Process
The NIST RMF process is mostly carried out in tier III of the tiered risk management hierarchy, but interactions with tiers I and II are not uncommon such as communicating of assessment results.
- Prepare — Preparation includes all the essential activities required for the organization to prepare to manage the security and privacy risk of the information system. This includes an establishment of the system’s purpose and requirements, and risk assessments.
- Categorize — The system architecture and functions are documented during categorization. The impact levels and types of the information the system will handle are also categorized.
- Select —A set of NIST Special Publication (SP) 800-53 controls are selected by the organization to address the results of system risk assessments.
- Implement — The controls that are selected are implemented into the system and documented.
- Assess — The information system and security controls implemented are then assessed for effectiveness and efficiency.
- Authorize — After assessments are complete and there is confidence in the implementation of the security plan, the information system can seek an ATO.
- Monitor — Continuous monitoring is required to ensure the security, privacy, and functionality of the system in operation. The results of continuous monitoring will be used to inform updates to the information system, security plan, and security controls.
Just like the system development life cycle, every NIST compliant information system is in some stage of the NIST RMF process at any given time.
NIST RMF Summarized
NIST RMF is a robust risk management framework that has provided guidance for the management of most major and minor government and commercial information systems. NIST RMF is regularly updated by NIST in order to keep up with the fast rate of change of modern technology. Learn more about NIST RMF here.