NIST Risk Management Framework: The Process

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

NIST RMF is a 7 steps process:

https://netgaincloud.com/blog/new-nist-framework-strengthens-risk-management/

• Prepare: Essential activities to prepare the organization to manage security and privacy risks
• Categorize: Categorize the system and information processed, stored, and transmitted based on an impact analysis
• Select: Select the set of NIST SP 800–53 controls to protect the system based on risk assessment(s)
• Implement: Implement the controls and document how controls are deployed
• Assess: Assess to determine if the controls are in place, operating as intended, and producing the desired results
• Authorize: Senior official makes a risk-based decision to authorize the system (to operate)
• Monitor: Continuously monitor control implementation and risks to the system

Risk Management Framework (RMF) — Prepare Step

1. Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF
2. Outcomes:

• key risk management roles identified
• organizational risk management strategy established, risk tolerance determined
• organization-wide risk assessment
• organization-wide strategy for continuous monitoring developed and implemented
• common controls identified

Risk Management Framework (RMF) — Categorize Step

1. Purpose: Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems
2. Outcomes:

• system characteristics documented
• security categorization of the system and information completed
  categorization decision reviewed/approved by authorizing official

Risk Management Framework (RMF) — Select Step

1. Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk
2. Outcomes:

• control baselines selected and tailored
• controls designated as system-specific, hybrid, or common
• controls allocated to specific system components
  system-level continuous monitoring strategy developed
  security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Risk Management Framework (RMF) — Implement Step

1. Purpose: Implement the controls in the security and privacy plans for the system and organization
2. Outcomes:

• controls specified in security and privacy plans implemented
  security and privacy plans updated to reflect controls as implemented

Risk Management Framework (RMF) — Assess Step

1. Purpose: Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
2. Outcomes:

• assessor/assessment team selected security and privacy assessment plans developed
• assessment plans are reviewed and approved
• control assessments conducted in accordance with assessment plans
• security and privacy assessment reports developed
• remediation actions to address deficiencies in controls are taken
• security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  plan of action and milestones developed

Risk Management Framework (RMF) — Authorize Step

1. Purpose: Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
2. Outcomes:

• authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
• risk determination rendered
• risk responses provided
• authorization for the system or common controls is approved or denied

Risk Management Framework (RMF) — Monitor Step

1. Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
2. Outcomes:

• system and environment of operation monitored in accordance with continuous monitoring strategy
• ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
• output of continuous monitoring activities analyzed and responded to
  process in place to report security and privacy posture to management
• ongoing authorizations conducted using results of continuous monitoring activities