This blog article answers the question “What is the NIST Risk Management Framework (RMF).
The NIST RMF creates a set of guidelines that enable organizations to manage security and privacy risks. Although focused on federal information systems, the risk management processes can be applied to the private sector as well.
Fundamentally, the RMF exists to:
- Align security and privacy risks with business objectives and the overarching organizational risk management strategy
- Implement appropriate risk response strategies
- Support consistent, informed, and ongoing security and privacy information sharing
- Help integrate security and privacy controls across all areas of the organization
How many steps are there in the NIST RMF?
The RMF takes an organization-wide approach to risk management, aligning organization and business process objectives with information system decisions. The organization and business process risk decisions act as the foundation for selecting and implementing controls at the technology level.
The RMF sets out seven essential steps that all organizations using the model must follow:
- Prepare: Create a context and priorities for managing security and privacy risk
- Categorize: Identify and catalog all systems and information processes stored and transmitted, then analyze the impact that the loss of these assets would have
- Select: Align and set risk-mitigating controls around risk tolerance
- Implement: Put controls in place and document the process
- Assess: Test to ensure that the controls work as intended to mitigate risk
- Authorize: Document that the controls mitigate risk as intended and will remain in place until they fail to mitigate the risk appropriately
- Monitor: Continuously monitor controls’ effectiveness, document any system changes, conduct ongoing risk assessments and impact analyses, and report on security and privacy posture
The last step is often the one that companies struggle to manage. The RMF requires that the people authorizing the security and privacy posture have the necessary information to make informed decisions. However, for many organizations, managing various technologies and maintaining documentation is difficult. Moreover, malicious actors continuously evolve their threat methodologies, which means that controls that work today may not work tomorrow.
Understanding Supply Chain Management
The RMF recognizes that most businesses rely on third-party technologies. For example, nearly every business uses either Microsoft O365, Google Suite, or third-party file-sharing technology. All these technologies impact an organization’s risk posture.
The 2018 RMF appears future-thinking when looking at today’s threat landscape. Increasingly, malicious actors target critical members of the supply chain. For instance, a threat actor can use a vulnerability in a business application to gain unauthorized access to the company’s network. From there, they can escalate their privileges, granting themselves additional access rights. As they give themselves more and more access, they can ultimately gain unauthorized access to sensitive information.
The RMF recognizes that supply chain risk management (SCRM) is challenging. Often, organizations are at the mercy of commercial off-the-shelf (COTS) products, which means they have limited control over the product or service. The RMF addresses this by stating that businesses can use information that a credible determination of control effectiveness exists. However, despite this, the company implementing the technology and its authorizing official remain responsible for responding to risks, not the vendor.
SteelCloud: Automated Hardening to Meet NIST RMF Best Practices
SteelCloud’s patented ConfigOS technology gives organizations an easy way to establish best practices for complying with the NIST RMF. Our solution can scan your environment in less than 60 minutes, giving you complete visibility into your security posture. ConfigOS automates remediation activities based on control criticality, reducing the risks to your environment.