NIST designed the RMF to be technology-agnostic and flexible. The more I read, two key themes stuck out to me:
- Organizations should approach the process in phases.
- The risk management process should remain continuous.
I realize these are fundamental concepts to any risk management framework. Every risk professional knows—risk management is a process, not an event; you’re never ‘done’ with it.
Aligning a program to NIST Risk Management Framework is no small undertaking.
NIST recommends the use of automation wherever possible to increase the speed, effectiveness and efficiency of executing the steps in the RMF. Onspring helps clients centralize and map together the elements of their program (systems, controls, threats, etc.); automate the workflow around collection and review of information; and facilitate robust reporting. Leveraging a technology for these activities breeds efficiencies—such as documenting a set of controls and mapping them to multiple systems. Onspring helps companies take their programs out of spreadsheets and drive more efficiency out of their NIST-based risk assessments.
Diving deep into NIST RMF allowed me to better articulate the concepts simply, and to break a complex document into pieces that feel consumable. If you want the full story, and are looking for a (not so light) good read, I invite you to read all 183 pages of the NIST SP 800-37 Rev 2.