Article

NIST Risk Management Framework (RMF)

Security
Time to read: 14 minutes

The NIST Risk Management Framework (RMF) is a set of processes all federal agencies must use to identify, implement, assess, manage, and monitor cybersecurity capabilities and services to find, eliminate, and mitigate ongoing risks in new and legacy systems. Developed by a Joint Task Force (JTF) that included the National Institute for Standards and Technology (NIST), the United States Intelligence Community (IC), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), the NIST RMF replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP).

The NIST RMF brings a risk-based approach to cybersecurity implementations that begins early in system lifecycles by integrating security, privacy, and cyber supply chain risk management. The NIST RMF drives risk-based considerations into the control selection and specification and focuses on effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, and regulations.

Five components of NIST RMF

Five components comprise the NIST RMF: Identification, Measurement and Assessment, Mitigation, Reporting and Monitoring, and Governance.

1. Identification
The NIST RMF begins with identifying the risks across an organization, such as legal, privacy, and strategic risks. This component of the NIST RMF needs to be conducted regularly as risk landscapes change.

2. Measurement and assessment
The measurement and assessment component guides the development of risk profiles for the risks that are identified.

3. Mitigation
With the NIST RMF, risk mitigation involves reviewing the risks that are identified to determine the severity. In some cases, risks are acceptable and do not require any action. Other risks should be mitigated, and still others may require elimination.

4. Reporting and monitoring
The NIST RMF includes processes for sharing information about risks and regular evaluations of risks to identify any changes that warrant additional action.

5. Governance
With its risk governance component, the NIST RMF ensures that risk management elements have been implemented and risk-related policies are enforced.

NIST RMF goals

The primary goals of the NIST RMF are to:

  • Enhance information security
  • Foster reciprocity among federal agencies
  • Improve risk management processes

To achieve these goals, the NIST RMF drives organizations to:

  • Follow a risk management methodology that identifies vulnerabilities caused by non-compliant controls and prioritizes them based on risk factors (e.g., likelihood, threat, and impact).
  • Implement a tiered approach to risk management that focuses on the business process level, enterprise level, information system level, and mission level.
  • Incorporate cybersecurity early and robustly in the acquisition and system development lifecycle.
  • Require continuous monitoring and timely correction of deficiencies, vulnerabilities, and incidents related to information security.
  • Support authorization reciprocity to allow organizations to accept approvals by other organizations for interconnection or reuse of IT systems without retesting.

Seven steps in the NIST RMF

The seven steps in the NIST RMF are: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor Security Controls.

1. Prepare

The organization gets ready to manage its security and privacy risks by:

  • Assessing organization-wide risk.
  • Defining key risk management roles.
  • Determining risk tolerance.
  • Developing and implementing an organization-wide strategy for continuous monitoring.
  • Establishing a formal risk management strategy.
  • Identifying common controls.

2. Categorize

The risks to systems and information processed, stored, and transmitted are categorized based on an impact analysis of loss of confidentiality, integrity, and availability (CIA). This categorization includes impact levels low, moderate, or high. During the NIST RMF Categorize step:

  • System characteristics are documented.
  • Security categorization of the system and information is completed.
  • Categorization decisions are reviewed and approved by the authorizing official.

3. Select

The required security controls are identified. The NIST RMF Select step includes:

  • Allocating controls to specific system components.
  • Designating controls as system-specific, hybrid, or common.
  • Developing a system-level continuous monitoring strategy.
  • Ensuring that security and privacy plans reflect the control selection, designation, and allocation.
  • Selecting and tailoring control baselines.

4. Implement 

The controls in the security and privacy plans for the system and organization are implemented. During the NIST RMF Implement step:

  • The controls are implemented.
  • All the processes and procedures for how the controls are deployed are documented.
  • Security and privacy plans are updated to reflect how the controls are implemented.

5. Assess

An assessment is conducted to determine if the controls are implemented correctly and address the security and privacy requirements. The Assess step of the NIST RMF includes:

  • Assigning an assessor and assessment team.
  • Developing plans for the security and privacy assessment.
  • Reviewing and approving assessment plans.
  • Conducting the control assessments in accordance with assessment plans.
  • Producing security and privacy assessment reports.
  • Implementing remediation actions to address any deficiencies in controls.
  • Updating security and privacy plans with control implementation changes based on assessments and remediation actions.
  • Establishing a plan of action and milestones.

6. Authorize

Once everything is working as intended, executive approval of the risk mitigation mechanisms is provided. During the Authorize step of the NIST RMF:

  • Authorization packages, including an executive summary, system security and privacy plan, assessment report(s), plan of action, and milestones, are produced.
  • The risk determination is provided.
  • Risk responses are provided.
  • The authorization of the system and controls is approved or denied.

7. Monitor security controls

A continuous monitoring strategy is required to ensure that the security controls are working. Included in the NIST RMF Monitor step is:

  • Continuous monitoring of the system and environment.
  • Ongoing assessments of control effectiveness.
  • Analysis and response to the output of continuous monitoring activities.
  • Reports about security and privacy posture for management.
  • Ongoing authorizations.

RMF roles and responsibilities

The NIST RMF provides a list of roles and responsibilities for key participants in a risk management program. These are recommendations; it is not required to have each position assigned to a person, only that the functions are performed. Care must be taken so that the individuals or groups assigned to a role or function do not have conflicting interests. The NIST RMF roles and responsibilities include the following.

The NIST RMF roles listed by NIST and the Information Technology Laboratory (ITL)in their NIST RMF Quick Start Guide are:

  • Authorizing official or authorizing official designated representative
  • Chief acquisition officer
  • Chief information officer
  • Common control provider
  • Control assessor
  • Enterprise architect
  • Head of agency
  • Information owner or steward (or system owner)
  • Mission or business owner
  • Risk executive or senior official for risk management
  • Security or privacy architect
  • Senior agency information security officer
  • Senior agency official for privacy
  • System administrator
  • System owner
  • System security or privacy engineer
  • System security or privacy officer
  • User

NIST RMF best practices

Automation and continuous monitoring
Leverage technology to automate and streamline NIST RMF tasks. This is especially important for continuous monitoring of threats and vulnerabilities.

Categorization and prioritization of risks
Risks should be categorized based on the chance of them happening, their potential impact, and an organization’s risk tolerance. Based on these measurements, risks can be categorized and prioritized based on how they will be handled, such as accept, refuse, transfer, or mitigate.

Metrics and reporting
Establish clear metrics to track progress, demonstrate the value of the NIST RMF, and identify areas for improvement and updates to address issues and optimize systems.

Ownership and buy-in
When an organization is not required to use the NIST RMF, it is important that the leadership team and key stakeholders understand why it is important and the value that it will provide. It is also important that those on the implementation team and individuals who will be impacted by the NIST RMF understand the benefits and their role in the associated deployment and maintenance work.

Regular risk assessments
Risk assessments should be scheduled to ensure that they are conducted regularly. Unscheduled risk assessments should be conducted if a system has significant changes.

NIST Risk Management Framework resources

NIST Special Publication 800-37, Revision 2 (aka NIST RMF)
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST SP 800-37, the NIST RMF, instructs on the monitoring of security controls across the system development lifecycle
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

NIST Special Publication 800-53, Revision 5
Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 guides teams in selecting and implementing security controls to mitigate risk).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

NIST RMF Framework FAQ
General and NIST Special Publication (SP) 800-53
https://csrc.nist.gov/Projects/risk-management/faqs

NIST RMF Quick Start Guide
Roles and Responsibilities Crosswalk is based on key steps and responsibilities detailed in the NIST RMF.
https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf

NIST RMF Quick Start Guide on Prepare Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/01-Prepare%20Step/NIST%20RMF%20Prepare%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Categorize Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/02-Categorize%20Step/NIST%20RMF%20Categorize%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Select Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/03-Select%20Step/NIST%20RMF%20Select%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Implement Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/04-Implement%20Step/NIST%20RMF%20Implement%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Assess Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Authorize Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/06-Authorize%20Step/NIST%20RMF%20Authorize%20Step-FAQs.pdf

NIST RMF Quick Start Guide on Monitor Step
https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/07-Monitor%20Step/NIST%20RMF%20Monitor%20Step-FAQs.pdf

NIST RMF for the private sector

Although the NIST RMF was created for use by federal agencies, it can also be used by organizations operating in the private sector. The NIST RMF helps organizations of all types and sizes reduce cybersecurity risk and better protect their IT resources.

NIST RMF FAQ

What is the NIST RMF framework?
In 2010, The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD), released the Risk Management Framework (RMF). It is a comprehensive set of guidelines, including more than 1000 security controls, that provides a risk-based approach to managing information security and privacy. Every federal agency is required to comply with the processes outlined within the RMF. It is also used to help implement risk management programs that meet the requirements of the Federal Information Security Modernization Act (FISMA).

While it was developed for federal government systems and information, the NIST RMF has been adopted as the general standard by non-governmental organizations around the world. Part of the appeal of the NIST RMF is that it is not a fixed set of rules. It is a highly flexible set of guidelines that can be adapted to meet the needs of any organization.

The approach taken with the NIST RMF shifts security, privacy, and risk management to the beginning of the information system development life cycle. It is also applied to supply chain management. This ensures that security is integrated into all components and processes related to information systems. The shift also helps security teams optimize security and privacy on an organization-wide level.

What is the difference between NIST 800-37 and 800-53?
These two standards are used in tandem to meet federal requirements. NIST 800-53. “Guide for Assessing Security Controls in Federal Information Systems and Organizations” details the mandatory security and privacy controls for federal organizations and their information systems. NIST 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” details the NIST approach for identifying, assessing, and prioritizing risks to information systems.

NIST 800-37 focuses on the risk management process, with explicit steps to detect and categorize the impact of threats and vulnerabilities. NIST 800-53 specifies security controls to mitigate and remediate threats and vulnerabilities. It includes 18 categories of controls ranging from access control and configuration management to incident response and media protection. Organizations select which controls to implement based on factors such as their size, mission, and the sensitivity of the information they handle.

What are the six phases of NIST?

  1. Categorize the system
    Before beginning the development and setup of a new system, the information that it will process, store, and share, as well as the underlying supporting systems, need to be classified based on a risk impact analysis. For government agencies, this is done according to the instructions detailed in the Federal Information Processing Standards (FIPS) 199 (FIPS-199) and NIST Special Publication 800-60 (NIST SP 800-60). This step must be used for any federal information system, whether it is hosted internally, externally, or in the cloud.
  2. Select security controls
    Based on the categorizations established in the first step, a set of baseline controls needs to be selected or updated based on the current risk assessment. The required security controls include technical, operational, and managerial. FIPS-200 and NIST SP 800-53 provide guidance on how to select security controls. There are three types of controls to consider—common, hybrid, and system-specific controls. Common controls are those that are fully inherited by a system from a higher-level system or environment, such as an organization-wide service (e.g., email) or network. Hybrid controls come from a common control provider, but the system owner has some responsibility for implementation and management. System-specific controls are entirely the system's or system owner's responsibility to implement, operate, manage, and monitor.
  3. Implement security controls
    If hybrid or system-specific controls are used, they need to be implemented and integrated with existing systems. During this phase, it is important to document how they are implemented and integrated, as well as their effects on the operating environment.
  4. Conduct the security assessment
    Security and privacy controls for managing risk must be assessed to confirm the necessary elements are in place and that they are working correctly. For systems rated as low impact (i.e., loss would have a limited adverse impact), self-assessment and reporting are permitted. For systems rated as moderate impact (i.e., loss would have a serious adverse impact) or high impact (i.e., loss would have a catastrophic impact), a third-party assessment is required. Assessors must be familiar with the NIST RMF and the controls in the NIST SP 800-53 control catalog.
  5. Authorize the system
    Once the assessments have been completed with favorable results, the report is sent to the authorizing official for approval. Upon approval, the system can be connected to the network and commence operations.
  6. Conduct continuous monitoring and reauthorization
    Continuous monitoring covers the oversight and remediation of security controls once a system has been authorized for deployment. The automated and manual functions included as part of this phase include intrusion detection and prevention (IDS/IPS), vulnerability management, patch management, and application and system event log collection and analysis. Depending on the impact level of systems, assessments, and reauthorizations are required at varying frequencies, ranging from annually to every three years. NIST SP 800-53 provides guidance on monitoring information systems.
Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us