Learning the NIST Risk Management Framework
NIST-BASED RISK ASSESSMENT TAKEAWAYS
By Beth Strobel
I have a confession to make: I haven’t taken a math class since 11th grade. When I was in college, my Communications major required me to take at least one logic and reasoning course. Instead of choosing Statistics or Introduction to Accounting, I chose the Theory and Practice of Debate. I loved this course. We learned how to structure arguments, argue both sides of a debate, and anticipate rebuttals. It ended up being one of my favorite college courses, and made me realize that I didn’t dislike the logic of math; I disliked the numbers. Learning how to break seemingly complex topics into pieces that could be understood is a skill that has served me well since then.
I had the opportunity to use that skill recently as I sought to understand more about the NIST Risk Management Framework (RMF). As of late, it seems like everyone is opting to align their risk and compliance programs to the NIST frameworks. I have a basic understanding of NIST, but wanted to dive deeper. I learned quickly that NIST provides a plethora of guides and materials. I waded through the documents, seeking to extract key themes.
For those who aren’t aware, NIST is the National Institute of Standards and Technology, a non-regulatory agency of the U.S. Commerce Department. NIST develops and issues standards, guidelines and other documents to encourage and assist federal agencies and the private sector with security controls and regulatory compliance requirements.
Even if you don’t consider yourself a NIST expert, terms you may have heard are:
- NIST 800-53 – A catalog of security and privacy controls designed for U.S. federal information systems
- NIST CSF – Cyber Security Framework of technology security guidance for private sector organizations
- NIST RMF – Risk Management Framework to facilitate decision-making to select appropriate security controls
One of the take-aways from my college debate course was to establish a thesis statement for your argument—a north star to tie things back to. As I explored resources, I decided to center my focus on NIST RMF. Many organizations have developed risk assessment programs based around NIST, typically subscribing to the following NIST-based principles:
- The purpose of risk assessments is to inform decision makers about the relevant threats, vulnerabilities and impacts related to a particular system or part of the business.
- You must start by establishing which assets are most valuable.
- Proper risk assessment creates an opportunity to ensure the appropriate controls are aligned to those assets.
In Special Publication 800-37 revision 2 (published in December 2018), NIST prescribes seven steps for successful execution of the RMF:
1. Preparation to initiate the process.
2. Categorize the system and information using an impact analysis to identify your High Value Assets (HVAs).
3. Select the baseline or organization-generated controls appropriate for the system and environment.
4. Implement the controls as described in the security and privacy plans, consistent with the organization’s enterprise architecture.
5. Assess controls after establishing the assessment team and plan. Document findings, remediation actions and Plan of Action and Milestones (POAMs).
6. Authorize systems. Create authorization packages to allow authorization officials to make risk-based decisions.
7. Monitor systems and their environments for changes, control effectiveness, risk, and authorization.
NIST designed the RMF to be technology-agnostic and flexible. The more I read, two key themes stuck out to me:
- Organizations should approach the process in phases.
- The risk management process should remain continuous.
I realize these are fundamental concepts to any risk management framework. Every risk professional knows—risk management is a process, not an event; you’re never ‘done’ with it.
Aligning a program to NIST RMF is no small undertaking. NIST recommends the use of automation wherever possible to increase the speed, effectiveness and efficiency of executing the steps in the RMF. Onspring helps clients centralize and map together the elements of their program (systems, controls, threats, etc.); automate the workflow around collection and review of information; and facilitate robust reporting. Leveraging a technology for these activities breeds efficiencies—such as documenting a set of controls and mapping them to multiple systems. Onspring helps companies take their programs out of spreadsheets and drive more efficiency out of their NIST-based risk assessments.
Diving deep into NIST RMF allowed me to better articulate the concepts simply, and to break a complex document into pieces that feel consumable. If you want the full story, and are looking for a (not so light) good read, I invite you to read all 183 pages of the NIST SP 800-37 Rev 2. I’m far enough removed from my college coursework that I do not invite you to engage me in a debate about it—at least, not unless you give me fair warning!