Learn the NIST Risk Management Framework

NIST-based Risk Assessment Takeaways

As of late, it seems like everyone is opting to align their risk and compliance programs to the NIST Risk Management Framework (RMF). I have a basic understanding of NIST, but wanted to dive deeper. I learned quickly that NIST provides a plethora of guides and materials. I waded through the documents, seeking to extract key themes.

For those who aren’t aware, NIST is the National Institute of Standards and Technology, a non-regulatory agency of the U.S. Commerce Department. NIST develops and issues standards, guidelines and other documents to encourage and assist federal agencies and the private sector with security controls and regulatory compliance requirements.

Even if you don’t consider yourself a NIST expert, terms you may have heard are:

NIST 800-53 – A catalog of security and privacy controls designed for U.S. federal information systems
NIST CSF – Cyber Security Framework of technology security guidance for private sector organizations
NIST RMF – Risk Management Framework to facilitate decision-making to select appropriate security controls

The purpose of risk assessments is to inform decision-makers about the relevant threats, vulnerabilities, and impacts related to a particular system or part of the business, which means you must start by establishing which assets are most valuable. Proper risk assessment creates an opportunity to ensure the appropriate controls are aligned to those assets.

As I explored resources, I decided to center my focus on NIST RMF. Many organizations have developed risk assessment programs based around NIST, typically subscribing to the following NIST-based principles:

In Special Publication 800-37 revision 2 (published in December 2018), NIST prescribes seven steps for successful execution of the RMF:

Preparation to initiate the process.
Categorize the system and information using an impact analysis to identify your High Value Assets (HVAs).
Select the baseline or organization-generated controls appropriate for the system and environment.
Implement the controls as described in the security and privacy plans, consistent with the organization’s enterprise architecture.
Assess controls after establishing the assessment team and plan. Document findings, remediation actions, and Plan of Action and Milestones (POAMs).
Authorize systems. Create authorization packages to allow authorization officials to make risk-based decisions.
Monitor systems and their environments for changes, control effectiveness, risk, and authorization.

NIST designed the RMF to be technology-agnostic and flexible. The more I read, two key themes stuck out to me:

Organizations should approach the process in phases.
The risk management process should remain continuous.

I realize these are fundamental concepts to any risk management framework. Every risk professional knows—risk management is a process, not an event; you’re never ‘done’ with it.

Aligning a program to NIST Risk Management Framework is no small undertaking.

NIST recommends the use of automation wherever possible to increase the speed, effectiveness and efficiency of executing the steps in the RMF. Onspring helps clients centralize and map together the elements of their program (systems, controls, threats, etc.); automate the workflow around collection and review of information; and facilitate robust reporting. Leveraging a technology for these activities breeds efficiencies—such as documenting a set of controls and mapping them to multiple systems. Onspring helps companies take their programs out of spreadsheets and drive more efficiency out of their NIST-based risk assessments.

Diving deep into NIST RMF allowed me to better articulate the concepts simply, and to break a complex document into pieces that feel consumable. If you want the full story, and are looking for a (not so light) good read, I invite you to read all 183 pages of the NIST SP 800-37 Rev 2.