Scribd
Upload
89 views26 pages

NIST Risk Management Framework Overview

Provides an overview of NIST Risk management framework

Uploaded by

Deepak Varde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views26 pages

NIST Risk Management Framework Overview

Provides an overview of NIST Risk management framework

Uploaded by

Deepak Varde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

NIST Risk Management

Framework Overview
NIST Risk Management Framework Overview

• About the NIST Risk Management Framework (RMF)


• Supporting Publications
• The RMF Steps
Step 1: Categorize
Step 2: Select
Step 3: Implement
Step 4: Assess
Step 5: Authorize
Step 6: Monitor
• Additional Resources and Contact Information

NIST Risk Management Framework | 2


NIST Special Publication 800-37, Guide for Applying
the Risk Management Framework
• A holistic and
comprehensive risk
management process Categorize
System
• Integrates the Risk
Management Monitor Select
Framework (RMF) into Controls Controls

the system
development lifecycle
(SDLC) Authorize
System
Implement
Controls
• Provides processes
(tasks) for each of the
Assess
Controls
six steps in the RMF at
the system level
NIST Risk Management Framework | 3
Supporting Publications
Federal Information Processing Standards (FIPS)
• FIPS 199 – Standards for Security Categorization
• FIPS 200 – Minimum Security Requirements
Special Publications (SPs)
• SP 800-18 – Guide for System Security Plan Development
• SP 800-30 – Guide for Conducting Risk Assessments
• SP 800-34 – Guide for Contingency Plan development
• SP 800-37 – Guide for Applying the Risk Management Framework
• SP 800-39 – Managing Information Security Risk
• SP 800-53/53A – Security Controls Catalog and Assessment Procedures
• SP 800-60 – Mapping Information Types to Security Categories
• SP 800-128 – Security-focused Configuration Management
• SP 800-137 – Information Security Continuous Monitoring
• Many others for operational and technical implementations

NIST Risk Management Framework | 4


NIST SP 800-39: Managing Information Security Risk –
Organization, Mission, and Information System View
Strategic
• Multi-level risk Focus

management approach Level 1


• Implemented by the Organization

Risk Executive Function


• Enterprise Architecture Level 2 Tactical
Mission / Business Process Focus
and SDLC Focus
• Supports all steps in the
Level 3
RMF System (Environment of Operation)

Three Levels of Organization-Wide


Risk Management
NIST Risk Management Framework | 5
NIST SP 800-39: Managing Information Security Risk –
Organization, Mission, and Information System View

Assess

Information and
Communication Flows

Frame

Monitor Respond

Risk Management Process

NIST Risk Management Framework | 6


NIST Special Publication 800-30, Guide to Conducting
Risk Assessments

• Addresses the Assessing Risk component of Risk


Management (from SP 800-39)
• Provides guidance on applying risk assessment
concepts to:
– All three tiers in the risk management hierarchy
– Each step in the Risk Management Framework
• Supports all steps of the RMF
• A 3-step Process
– Step 1: Prepare for assessment
– Step 2: Conduct the assessment
– Step 3: Maintain the assessment

NIST Risk Management Framework| 7


NIST Special Publication 800-37, Guide for Applying
the Risk Management Framework
• A holistic and
comprehensive risk
management process Categorize
System
• Integrates the Risk
Management Monitor Select
Framework (RMF) into Controls Controls

the system
development lifecycle
(SDLC) Authorize
System
Implement
Controls
• Provides processes
(tasks) for each of the
Assess
Controls
six steps in the RMF at
the system level
NIST Risk Management Framework| 8
NIST RMF Step 1: Categorize

Purpose: Determine the


criticality of the information
and system according to
potential worst-case, adverse
impact to the organization,
mission/business functions,
and the system.

NIST Risk Management Framework| 9


Federal Information Processing
Standard (FIPS) 199
Standards for Security Categorization of Federal
Information and Information Systems

Security Objectives
Confidentiality Impact Level
Low: loss has limited
adverse impact
Moderate: loss has serious
adverse impact
High: loss has catastrophic
adverse impact

Integrity Availability

NIST Risk Management Framework| 10


NIST RMF Step 2: Select

Purpose:
• Select security controls
starting with the appropriate
baseline using categorization
output from Step 1
• Apply tailoring guidance as
needed based on risk
assessment

NIST Risk Management Framework| 12


Federal Information Processing
Standard (FIPS) 200
Minimum Security Requirements for Federal Information and
Information Systems

• Defines 17 security-related areas (families)


that:
– Represent a broad-based, balanced security program
– Include management, operational, and technical security
controls (all are needed for defense in depth)
• Specifies that a minimum baseline of security
controls, as defined in NIST SP 800-53, will be
implemented
• Specifies that the baselines are to be appropriately
tailored
NIST Risk Management Framework| 13
NIST Special Publication 800-53
Security and Privacy Controls for Information Systems and
Organizations

• A catalog of security
controls
• Defines three security • Undergoing update
baselines (L, M, H) to Rev. 5, draft
• Initial version released in Aug 2017
published in 2005 for public comment
• Currently using Rev. 4
(2013)

NIST Risk Management Framework| 14


Security and Privacy Controls

• A countermeasure
prescribed for system or an
organization designed to • Control implementations
protect the confidentiality, and assessment methods
integrity, and availability of may vary based on the
its information and to meet technology to which the
a set of defined control is being applied,
requirements. e.g.:
• Security and privacy controls – Cloud-based systems
are intentionally not focused – Mobile systems
on any specific technologies – Applications

NIST Risk Management Framework| 16


SP 800-53 Control Families

AC – Access Control MP – Media Protection


AT – Awareness and Training PA* – Privacy Authorization
AU – Audit and Accountability PE – Physical and Environmental
Protection
CA – Security Assessment and PL – Planning
Authorization
CM – Configuration Management PM – Program Management
CP – Contingency Planning PS – Personnel Security
IA – Identification and Authentication RA – Risk Assessment
IP* – Individual Participation SA – System and Service Acquisition
IR – Incident Response SC – System and Communication
Protection
MA - Maintenance SI – System and Information Integrity

NIST Risk Management Framework| 17


SP 800-53 Control Baselines

• Baselines are defined


in Appendix D
• Determined by: • Baselines can and
– Information and should be tailored,
system categorization based on RISK, to fit
(L, M, H)
the mission and
– Organizational risk
system environment
assessment and risk
tolerance • Some controls are
– System level risk not included in
assessment baselines
NIST Risk Management Framework| 19
NIST RMF Step 3: Implement

Purpose: Implement security controls


within enterprise architecture and systems
using sound system security engineering
practices (see SP 800-160); apply security
configuration settings.

NIST Risk Management Framework| 20


Implementation Tips
• Plan for control • Implementation
implementation during may include:
the development phase – Writing and following
of the SDLC – BAKE IT IN policies, plans, and
• Many NIST publications operational procedures
are available to provide – Configuring settings in
implementation operating systems and
guidance on a wide applications
range of controls and – Installing tools/software to
control types automate control
(https://csrc.nist.gov) implementation
• Training
NIST Risk Management Framework| 21
NIST RMF Step 4: Assess

Purpose: Determine security control


effectiveness – are controls implemented
correctly, operating as intended, and
meeting the security requirements for the
system and environment of operation?

NIST Risk Management Framework| 22


NIST Special Publication 800-53A
Assessing Security and Privacy Controls in Systems and
Organizations: Building Effective Security Assessment Plans

• Supports RMF Step 4 • Describes high


(Assess) level procedures for
• Is a companion assessing security
document to 800-53 controls for effectiveness
• Is updated shortly • Defines assessment
after 800-53 is procedures using
updated – Assessment Objectives
– Assessment Methods
– Assessment Objects
NIST Risk Management Framework| 23
SP 800-53A Assessment Steps
1. Develop the Security Assessment Plan
a. Determine which controls are to be
assessed
b. Select appropriate procedures to assess those
controls
c. Determine depth and coverage needed for
assurance
d. Tailor the assessment procedures
e. Finalize the plan and obtain approval
2. Conduct the assessment
3. Analyze the results
4. Create the Security Assessment Report
NIST Risk Management Framework| 24
SP 800-53A Assessment Procedures
“Parts”
• Assessment objectives – determination
statements
• Three assessment methods and associated
assessment objects
– Interview – objects are individuals/groups of individuals
– Examine – objects include:
• Specifications (e.g., documents - policies, procedures, designs)
• Mechanisms (e.g., functionality in HW, SW, firmware)
• Activities (e.g., system ops, administration, mgmt., exercises)
– Test – objects include:
• Mechanisms (e.g., HW, SW, firmware)
• Activities (e.g., system ops, administration, mgmt., exercises)

NIST Risk Management Framework| 25


NIST RMF Step 5: Authorize
Purpose:
• The Authorizing Official (AO) examines the
output of the security controls assessment
to determine whether or not the risk is
acceptable
• The AO may consult with the Risk Executive (Function), the Chief
Information Officer, the Chief Information Security Officer, as
needed since aggregate risk should be considered for the
authorization decision
• After the initial authorization, ongoing authorization is put in
place using output from continuous monitoring (see
Supplemental Guidance on Ongoing Authorization at:
http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/nist_oa_guidance.pdf)

NIST Risk Management Framework| 27


NIST RMF Step 6: Monitor

Purpose:
• Continuously monitor controls
implemented for the system and its environment of
operation for changes, signs of attack, etc. that may
affect controls, and reassess control effectiveness
• Incorporate all monitoring (800-39 risk monitoring,
800-128 configuration management monitoring,
800-137 control effectiveness monitoring, etc.) into
an integrated organization-wide monitoring
program

NIST Risk Management Framework| 31


Examples of Applications
Overlays for specific national security
Committee on systems/operational environments, such as:
National Security Systems space platform, privacy, classified information,
etc.

The Federal Risk and Authorization Management


Program (FedRAMP) is a government-wide program
that provides a standardized approach to security
assessment, authorization, and continuous
monitoring for cloud products and services.

NIST Interagency Report 7628, Rev. 1,


Guidelines for Smart Grid Cybersecurity

FISMA Overview| 35
Additional Resources and Contact Information

FISMA Publications: [email protected]

https://csrc.nist.gov/Projects/Risk-Management

@usaNISTgov
@NISTcyber

THANK YOU!
NIST Risk Management Framework | 36

You might also like