Understanding NIST Risk Management Framework 2.0
NIST’s Risk Management Framework (SP 800–37, Revision 2), was released in December last year. The previous version 1 was first published in 2010 and later revised in 2014. The approach between the two version differs vastly as revision 1 used a security life cycle approach whereas revision 2 adopts a holistic system life cycle for both security and privacy. It enables organization to take risk based approach for assessing and managing both security and privacy risks across broader business capabilities. It goes without saying that due to dynamic nature of information system and privacy risks, the security posture should be continuously assessed and monitored. Authorizing officials should be able to assess if the residual risks (after implementing the selected controls) are within the acceptable limits of organization’s risk tolerance or risk appetite.
One of the key principles of NIST’s Risk Management Framework Revision 2 (hereon referred as RMF2.0) is to be agile such and iterative and closely integrated with organization’s business processes. The focus is therefore on: 1) elaborate privacy controls complementing the security controls; 2) promotes the automation of controls to manage near real-time risks; 3) close integration with Enterprise Architecture framework and Cyber Security framework; and 4) promotes adoption of agile framework by allowing flexibility in implementation while reusing the artifacts and modelling the control baselines that can be inherited organization wide rather than individual system levels.
Interplay between security and privacy — RMF2.0 promotes harmony and collaboration between security and privacy functions. These two may or may not be viewed as independent disciplines in some organizations, however it is essential to take coordinated approach to identify and assess the applicable risk requirements. Privacy risks are not necessarily only related to unauthorized access and disclosure of personal identifiable information (PII), but it is also includes managing the entire life cycle of PII data from its creation, processing, notification, transparency, storage and destruction.
As per RMF2.0, a privacy control “is an administrative, technical, or physical safeguard employed within an agency to ensure compliance with applicable privacy requirements and to manage privacy risks”; whereas, a security control “is a safeguard or countermeasure prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information”.
Authorization Boundary — RMF2.0 emphasizes and elaborates more on Authorization boundary as compared to its version 1, where it was termed as Information system boundary with only contextual reference to authorization boundary.
It is easier to comprehend the boundaries by understanding what should be in scope and out of scope for the purpose of risk management. The boundary actually establishes the connections between the system elements, the enabling elements and other interfacing elements. Once these elements are identified, organizations can then consider all the risks introduced by information exchange between all these elements.
Thus, the Authorization Boundary is a strategic agreement or decision made by the organization to include the information elements to be protected under their responsibility. Establishing ‘meaningful’ Authorization Boundary is key foundational step of RMF implementation and must be re-visited periodically in view of dynamic nature of businesses.
Agility and automation both have been established methodologies to instill efficient and cost-effective process management. In order to embark the journey of adopting these principles, requires certain change management within the organization, such as consolidating the IT (Information Technology) and OT (Operational Technology) processes by reducing the complexity or eliminating unnecessary systems. The RMF2.0 approach becomes more effective at each step if only implemented with this mindset.
Risk Management approach — The RMF2.0 pyramid has been slightly revised as compared to its predecessor, such that strategic decisions remain at levels 1 — organization and level 2 — mission/business level which will have its impact on tactical decisions at level 3 — information system level. Thus, level 3 offers more granular risk perspective which progressively broadens at level 1 to provide consolidated organization wide risk perspective.
The Role and Responsibilities provide a detailed listing of recommended roles for each task within the risk management cycle. It is worth noting that roles are defined such that a senior role shall be accountable for specific task while the responsibility of the executing the task can be either upon the same role or delegated to a representative authorized by the role. For example, the difference between Senior Agency Information Security and Chief Information Officer. Similarly, Senior Accountable Official for Risk and Risk Executive Function. This implies that senior roles are decision makers for overall strategy, budgetary planning and structure of organisation, while delegated role are responsible for the execution of risk management tasks.
Selection of controls can be complemented with the NIST Special Publication 800–53B — selecting, tailoring, categorizing controls — common, system or hybrid. Common controls are those that are applicable broader levels and can be inherited by the information systems under same capability or impact. In order to be consistent and effective, RMF2.0 recommends to maximize the use of common controls. This also improves the automation of selection, assessing and monitoring the controls.
When a security or privacy requirement could not be fully met by a common control, organizations can consider a hybrid control by specifying parts of the control requirement that can inherit the common control and other parts that are defined by explicit system level control.
The RMF2.0 Framework — Release 2.0 adds the most important prepare step to the existing 6 step model of earlier release.
Prepare — This is divided into two steps at organization level and at system level. Primary tasks include identifying the R&R, RM strategy, assessing the org wide risks, identifying and tailoring the common controls and strategy for continuous monitoring.
Categorize — This step is to describe and agree with security category of the system based on its business impact and risks identified, such that the selection of controls meets the requirements of managing the risks within acceptable limit.
Select — As name implies, this step is to select, tailor, allocate and document the controls that commensurate the risks identified with the system. The strategy of continuous monitoring of selected controls is also agreed at this stage.
Implement- Controls allocated as per security and privacy plan are implemented at this stage. Another key point to document any changes to planned implementation of controls. This will lead to an update to control baseline in earlier ‘prepare’ or ‘select’ steps.
Assess — In this step, implemented controls are assessed to determine of the objective of the security and privacy control has been met. The method of assessing the controls is important and must be documented, reviewed and approved. The deficiencies identified shall lead to remediation plans to be implemented in previous ‘implement’ step.
Authorize — This step allows the authorization body or officials to determine if the security and privacy risk posture achieved after implementation of planned controls (aka residual risk) are within the acceptable limits. This is most crucial step where risk analysis is conducted and risk response is documented. The outcome of this step forms the basis for strategy in new Risk Management cycle. If residual risk is acceptable, then the risk management cycle enters the continuous monitoring step, else it will enter the ‘prepare’ step to re-evaluate the security and privacy controls allocated. The risk analysis report, risk response and remediation plan is documented as authorization which itself has any expiry date, indicating that the response was taken in context with the then risk posture and must be re-evaluated once expired.
Monitor — As the name implies, this step is to monitor and maintain the security and privacy posture of the system and organization that commensurate the risks determined. Ongoing assessments and risk responses are recorded in this step. The step is critical over the life cycle of the system including its disposal strategy.
Clearly, the implementation of RMF2.0 steps requires to be iterative. For example, assessment of the controls implemented could show deficiencies which will lead to remediation plan and hence re-iterate the implementation and assessment steps.
Conclusion — The NIST Risk Management Framework 2.0 is most relevant in managing the dynamic nature of cyber security threats. It encourages the organizations to integrate with its own agile business model, unless are yet to adopt. The recent massive cyber attacks such as WannaCry and NotPetya have made the organization realize the significance of implementing the Cyber Security Framework and a robust risk management methodology and this document is just a timely release.
