Running head: RISK MANAGEMENT FRAMEWORK OVERVIEW 1

Risk Management Framework – An Overview

Wayne Fischer

University of San Diego

CSOL 530 Cyber Security Risk Management

Summer 2019
RISK MANAGEMENT FRAMEWORK OVERVIEW 2

Abstract

This paper describes the National Institute of Standards and Technology’s (NIST) Risk

Management Framework (RMF) and how it is used to reduce risk when operating information

systems. It is written in the form of a brief for a manager/CFO or CEO about the process used to

assess risk, authorize a system for operation, and monitor the system once it is in operation. It is

written with the assumption that there will be changes to personnel, hardware, software, and

firmware, as well as within the environment. The environment is assumed to be a shared office

space which has contractors and other organizations sharing the space.

Keywords: Cyber Security, Risk Management Framework, RMF, Compliance, NIST,

Authorization to Operate, Security Assessment Report, Managing Risk, Information Security

RISK MANAGEMENT FRAMEWORK OVERVIEW 3

Contents

Abstract ............................................................................................................................... 2

What is the Risk Management Framework? ....................................................................... 4

Using the Risk Management Framework to Manage Risk ................................................. 6

Step One - Prepare .......................................................................................................... 6

Step Two - Categorize .................................................................................................... 7

Step Three – Select Controls........................................................................................... 9

Step Four - Implement Controls ................................................................................... 10

Step Five – Assess Controls.......................................................................................... 11

Step Six – Authorize System ........................................................................................ 12

Step 7 – Monitor Controls............................................................................................. 13

Summary ........................................................................................................................... 16

References ......................................................................................................................... 17
RISK MANAGEMENT FRAMEWORK OVERVIEW 4

What is the Risk Management Framework?

The National Institution of Standards and Technology (NIST) Risk Management

Framework (RMF) outlines a seven-step process as an approach to address information security

risk in an organization (Joint Task Force, 2018, pp. 8-9). The framework is flexible, aligns with

a system development life cycle (SDLC), includes privacy and security aspects, and can be

implemented before, during, or after information systems are used in an organization. As the

Joint Task Force (2018, pp. 2-3) describes, the RMF

 Provides a repeatable process designed to promote the protection of information and

information systems commensurate with risk;

 Emphasizes organization-wide preparation necessary to manage security and privacy

risks;

 Facilitates the categorization of information and systems, the selection, implementation,

assessment, and monitoring of controls, and the authorization of information systems and

common controls;

 Promotes the use of automation for near real-time risk management and ongoing system

and control authorization through the implementation of continuous monitoring

processes;

 Encourages the use of correct and timely metrics to provide senior leaders and managers

with the necessary information to make cost-effective, risk-based decisions for

information systems supporting their missions and business functions;

 Facilitates the integration of security and privacy requirements and controls into

enterprise architecture, SDLC, acquisition processes, and systems engineering processes;

RISK MANAGEMENT FRAMEWORK OVERVIEW 5

 Connects risk management processes at the organization and mission/business process

levels to risk management processes at the information system level through a senior

accountable official for risk management and risk executive (function); and

 Establishes responsibility and accountability for controls implemented within information

systems and inherited by those systems.

The seven steps of the NIST RMF are shown in light blue boxes in the interior white circle of

the illustrated “Federal Enterprise Architecture” shown in Figure 1.

Figure 1 Computer Security Division et al, “Federal Enterprise Architecture,” Retrieved August

23, 2019 from: https://csrc.nist.gov/Projects/Risk-Management/rmf-overview

RISK MANAGEMENT FRAMEWORK OVERVIEW 6

Using the Risk Management Framework to Manage Risk

Step One - Prepare

The seven steps of the RMF begin with step one, the Prepare step. The Prepare step

ensures that effective communication is established between senior leaders, system owners, and

operators. It also allows the organization to ensure operators’ priorities align with organizational

priorities through an allocation of resources based on an organization-wide system prioritization.

This allows the organization’s risk appetite to provide a clear direction toward the selection and

implementation of controls. Additionally, preparation reduces duplication of effort by creating

common controls and standards which are used by members of the organization who can focus

on tailoring the controls in their control baselines to further reduce costs and enhance protection

of information systems. These activities allow for the simplification of managing information

systems, reduce risk, reduce costs, all through the creation of a standard set of controls,

architecture concepts and models, and applications and services.

After the preparation step is implemented, the scope of risk, risk tolerance,

communication channels, and roles and responsibilities are defined and communicated and the

organization can move toward categorizing systems. Typically, both a privacy and security

policy provide guidance and are used as inputs for the Prepare step. Also, organizational charts

are leveraged to determine appropriate role assignments for activities within the RMF. The

Prepare step out produces the following documents:

1. Risk Management Framework role assignments

2. The risk management strategy including a statement describing the organizations

risk tolerance in accordance with the privacy and security risk policies

3. Organization-level risk assessment results

RISK MANAGEMENT FRAMEWORK OVERVIEW 7

4. Approved organizationally tailored control baselines and risk profiles

5. List of common control providers and controls to be inherited by operators of

information systems

6. List of organizational systems prioritized as low, moderate, and high-impact sub-

categories

7. An organizational strategy for continuous monitoring of information systems

Step Two - Categorize

The second step of the RMF is the Categorize step. In this step, information systems are

analyzed to determine the impact to the organization through the realization of risk. Identified

risks can be accepted, ignored, avoided, transferred, or mitigated using security controls.

However, in order to determine how risk can be measured, the information systems and the data

they store, process, or transmit require us to categorize the systems and data types first. Stine et

al. emphasize how security categorization is a precursor to selecting controls when they state

“[t]he identification of information processed on an information system is essential to the proper

selection of security controls and ensuring the confidentiality, integrity, and availability of the

system and its information” (2008, p. 1). Selecting an appropriate categorization standard for

information systems allows us to properly synthesize the impact of a system breach. When we

know the impact, we can align with our organizations desired risk profile for protecting data.

The National Institute of Standards and Technology (NIST) has drafted various standards

and methodologies appropriate for measuring impact and risk. Two common documents address

this risk categorization and provide a way to categorize information systems and data. The first

document is the Federal Information Processing Standards (FIPS) Publication 199, Standards for

Security Categorization of Federal Information and Information Systems. FIPS 199 uses
RISK MANAGEMENT FRAMEWORK OVERVIEW 8

security categories “...based on the potential impact on an organization should certain events

occur which jeopardize the information and information systems” (National Institute of

Standards and Technology, 2004, p. 1.). The purpose of categorization seeks to achieve three

security objectives as defined by the Federal Information Security Management Act of 2002,

which include, protecting the confidentiality of information against unauthorized access, the

integrity of information from alteration or destruction, and the availability of information from

authorized users.

Information systems are analyzed and the impact against confidentiality, integrity, and

availability are rated as either low, moderate, or high. Low impact is described as that which has

limited negative affect on the security objectives for organizations, operations and individuals,

moderate being a serious negative effect, and high being a severe or catastrophic negative effect.

These ratings are applied to information types or information systems using the following

formula:

Security Categorization (SC) information type/system = {(confidentiality, impact),

(integrity, impact), (availability, impact)} using either Low, Moderate, High, or Not

Applicable.

The expected outputs from the Categorize step include:

1. Descriptions of the organization’s information systems

2. List of impact levels of information types and security categorizations for information

systems

3. Formal approval of the security categorizations from senior management

RISK MANAGEMENT FRAMEWORK OVERVIEW 9

Step Three – Select Controls

The third step of the RMF is the Select Controls step. This step evaluates available

security controls to create control baselines described by the Joint Task Force et al, as “a

collection of controls…specifically assembled or brought together to address the protection

needs of a group, organization, or community of interest” (Joint Task Force & National Institute

of Standards and Technology, 2017, p. 13). The collections of privacy and security controls are

categorized into families, as shown in Figure 2 titled “Table 1: Security and Privacy Control

Families.”

Figure 2. Joint Task Force et al, "Table 1: Security and Privacy Control Families", Initial Public Draft
(IPD), Special Publication 800-53 ..., p. 7, Retrieved August 23, 2019, from
https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

Controls from every family are required to ensure the confidentiality, integrity, and

availability of our information and information systems. The selected controls are used to

provide a baseline set of controls and enable the organization information system operators to

create a tailored set of organizational controls in order to reduce their level of effort, and reduce

organizational cost. Operators are also able to focus on the remaining controls relevant to their
RISK MANAGEMENT FRAMEWORK OVERVIEW 10

information systems and environments based on their information system risk profiles as

prepared and chosen by the organization in the previous steps.

The outputs from the Select Controls step of the RMF include:

1. A list of controls for the system and environment of operation

2. Tailored control baselines selected for specific systems and their environments

3. Unique security and privacy controls used by the system and environment

4. An information security and privacy plan for each system

5. A strategy for continuous monitoring and any triggers for the reassessment and

authorization for the system

6. A formal authorization of the security and privacy plans from the authorizing

official

Step Four - Implement Controls

After selecting controls, system operators can use their tailored list of controls and

implement them for each information system by following the approved security and privacy

plans. This process of the phase is the implementation step which is the fourth step in the RMF;

formally referred to as the “Implement Controls” step. The Joint Task Force et al, describe the

Implement Controls step purpose as being used “to implement the controls in the security and

privacy plans for the system and for the organization and to document in a baseline

configuration, the specific details of the control implementation” (Joint Task Force, 2018, p. 58).

This step requires the information system operators to document the implementation of

the approved controls selected by the organization in accordance with the information and

security plans which were created from output from the previous steps. It is critical that any

deviations from the security and privacy plans of implementing controls are documented and that
RISK MANAGEMENT FRAMEWORK OVERVIEW 11

the plans are updated to reflect the changes. The operators also ensure that their implementation

of controls align with the methodologies and architectures provided by the baseline control

architects to reduce costs and minimize complexity. This process produces the following set of

outputs and activities:

1. Systems with implemented controls

2. Updated security and privacy plans, if required, and a system configuration

baseline

Step Five – Assess Controls

Once controls have been implemented, the fifth step allows organizations to ensure that

controls were implemented correctly and that they are operating as expected. This step, referred

to as the “Assess Controls” step, is a continuous process, which aides in ensuring that changes to

information systems and personnel do not introduce gaps into the security and privacy plans. It

is important to note that security control assessments are not “…simply one-time activities that

provide permanent and definitive information…” (Joint Task Force Transformation Initiative,

2012, p. 5).

In the previous steps a high-level security assessment plan was developed. In this phase

of the RMF a security assessor is chosen, typically an independent party, and a more detailed and

formal security assessment plan is developed and approved. The security assessor performs an

assessment of implemented controls and produces a security assessment report (SAR) which is

used to communicate with senior management. The SAR includes identified gaps with regards

to the selection or implementation of security controls as well as residual (remaining) risk.

Finally, the SAR is used to develop immediate remediation steps and a formal plan called a Plan

of Actions and Milestones (POA&M).

RISK MANAGEMENT FRAMEWORK OVERVIEW 12

The documented output and activities from the Assess Controls step include:

1. An identified security assessor or team who will conduct the assessment

2. An assessment plan with authorizing officials approved security and privacy

assessments

3. Completed assessment report with documented evidence of controls

4. An assessment report with findings and recommendations

5. A documented list of remediation actions, and updated security and privacy plans

with all changes required for control implementations of the systems

6. A plan of actions and milestones (POA&M) which describes how, and when,

failed controls will be remediated and reassessed

Step Six – Authorize System

The sixth step from the RMF is the Authorize System step. In the authorize system step,

senior officials “Authorize the system or common controls based on a determination that the risk

to organizational operations and assets, individuals, other organizations, and the Nation is

acceptable” (Joint Task Force, 2018, p. 9). The previous five steps - prepare, categorize, select,

implement, and assess - are used to identify and implement security controls and create a body of

evidence regarding the state of information security and privacy. The body of evidence from the

assessment provides details of any failures identified when controls were assessed (e.g.

weaknesses discovered, unimplemented controls, etc.) as well as a plan of action and milestones

(POA&M) to address identified weaknesses which are included as part of an “Authorization

Package.” The package output from the Assess Controls step includes an updated security plan,

a Security Assessment Report (SAR), and a POA&M.

RISK MANAGEMENT FRAMEWORK OVERVIEW 13

The decision to authorize systems for use is a senior management decision. In the

authorize step the senior management official is referred to as the Authorizing Official (AO). It

is the AO who must decide whether the systems should continue to operate by weighing the

risks, and the costs to accept or mitigate them, against the operational and mission needs of an

organization. The AO may issue an Authorization to Operate (ATO), an Interim Approval to

Test (IATT), or a Denial of Authorization to Operate (DATO). An ATO may be given and

include conditions which must be met to ensure systems continue to be authorized. If a DATO is

issued, the AO specifies the steps required in order to obtain an ATO, or why the risk involved

with operating a system is unacceptable.

The Authorize System step produces the following activities and documents:

1. An authorization package prepared for submission to authorization official

2. A risk determination based on the organization risk-tolerance statement and the

assessment results evaluated against the value provided by continuing to operating

the information systems

3. A list of responses to the remaining risk

4. A documented decision (e.g. authorization to operate, denial of authorization to

operate, etc.)

5. Archiving the decision for future reference

Step 7 – Monitor Controls

After the first six steps have been performed, continuous monitoring of the environment

and of the information system is required to maintain a consistent risk profile. This is the

purpose of the seventh step of the RMF which is called the Monitor Controls step. Johnson et al,

emphasize that “An information system is typically in a constant state of change in response to
RISK MANAGEMENT FRAMEWORK OVERVIEW 14

new, enhanced, corrected, or updated hardware and software capabilities, patches for correcting

software flaws and other errors to existing components, new security threats, changing business

functions, etc. (Johnson et al, 2011, p 1). It is here we address how best to manage the

complications which arise from the continuous change of personnel, hardware, software and

firmware. This is accomplished by building onto our initial organizational plan for continuous

monitoring of information systems.

In previous steps we created baseline configurations, which are the expected set of

controls required to securely operate information systems. However, as we work in dynamic

environment, managing the changes tactically requires a process known as Configuration

Management. Effective configuration management aims to manage change (and reduce risk)

within our dynamic environments. A change control process is required to bring together subject

matter experts whenever changes are needed to continue supporting business operations and

ensure a methodical plan to analyze and implement changes. This is best achieved by chartering

a change (or configuration) control board and having these persons meet regularly, or ad-hoc

whenever emergencies changes are required, to discuss and plan through managed change.

Johnson et al, describe this as Security-Focused Configuration Management (SecCM)

which is “…the management and control of secure configurations for an information system to

enable security and facilitate the management of risk” (Johnson et al, 2011, p 7). SecCM enables

the organization to identify and record configurations impacting the security of information

systems, consider the security risks when changes are required, and to document and approve

changes. This is achieved by planning for change, identifying and implementing configurations,

controlling changes, and monitoring for unexpected or adverse changes.

RISK MANAGEMENT FRAMEWORK OVERVIEW 15

Dempsey et al, describe another process for monitoring systems for changes as an

Information Security Continuous Monitoring program. This program relies on automation of

security configuration monitoring to reduce mistakes and risk and is detailed in NIST Special

Publication 800-137 Information Security Continuous Monitoring ISCM for Federal Information

Systems and Organizations (2011). The use of the ISCM addresses defining, establishing,

implementing, creating reports, responding to and updating an organizations capability to

continuously monitor information systems for changes which may affect information security

and privacy.

The following outputs and activities are included in the Monitor Controls step:

1. The establishment and continuing operation of a Configuration or Change Control

Board (CCB)

2. Updated security and privacy plans, POA&Ms, and assessment reports on a

continuous basis

3. Mitigation activities or acceptance of risks as well as updated security and privacy

plans and assessment reports

4. Updated assessment reports with POA&Ms and risk results including authorizing

officials’ decisions

5. Reports regarding the security and privacy postures of systems for senior

management to make risk-based decisions

6. Ongoing activities reviewing security and privacy postures of systems to provide

evidence to authorizing officials to make authorization decisions

7. Documented system disposal strategies and inventory lists

RISK MANAGEMENT FRAMEWORK OVERVIEW 16

Summary

Because of the environment in which our organization operates (a shared office

environment), the nature of information systems, the dynamic nature of security and privacy

risks, and the requirement to consistently monitor risk, we required a comprehensive approach to

frame and reduce risk to acceptable levels. The NIST RMF provides a flexible framework for

our organization to prepare and categorize systems to effectively manage the risk associated with

operating information systems. This allows senior management to choose an acceptable level of

risk and the organization to choose and implement the appropriate security controls. The RMF

also allows us to provide a communication feedback process to ensure senior managers are aware

of the organizations implementation of controls and ensure they mirror their risk appetite.

The Risk Management Framework also provides us the framework to assess information

system risk and to provide detailed reports regarding the state of our security controls. These

reports can be provided to system owners to evaluate whether they want to authorize information

systems based on their assessed security controls, or require operators to implement changes to

reduce risk to acceptable levels. Finally, a process of monitoring controls is established to

manage the inevitable changes which will occur in the environment. We create a SecCM process

to ensure that changes from personnel, software, hardware, or firmware can be evaluated in the

context of information security. These changes are evaluated and the impacts are shared with

system and business owners to determine if a change occurs in information system security

postures and whether these changes are appropriate for authorization. By using the RMF

process, we are able to effectively identify and manage the risks inherent with using information

systems.
RISK MANAGEMENT FRAMEWORK OVERVIEW 17

References

Dempsey, K., Chawla, N. Johnson, A., Johnson, R., Jones, A., Orebaugh, A., Scholl, M., &

Stine, K. (2011). Special Publication 800-137: Information Security Continuous

Monitoring (ISCM) for Federal Information Systems and Organizations.

Johnson, A., Dempsey, K., Ross, R., Gupta, S., & Bailey, D. (2011). Special Publication 800-

128: Guide for Security-Focused Configuration Management of Information Systems.

Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

128.pdf

Joint Task Force. (2012, September). Guide for Conducting Risk Assessments, NIST Special

Publication 800-30 Revision 1. Retrieved August 11, 2019, from

https://doi.org/10.6028/NIST.SP.800-30r1

Joint Task Force. (2018, December). Risk Management Framework for Information Systems and

Organizations: A System Life Cycle Approach for Security and Privacy, Special

Publication 800-37 Revision 2. Retrieved August 1, 2019, from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Joint Task Force, & National Institute of Standards and Technology. (2017, August). Initial

Public Draft (IPD), Special Publication 800-53 ... Retrieved July 26, 2019, from

https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-

53r5-draft.pdf

National Institute of Standards and Technology. (2004, February). FIPS 199, Standards for

Security Categorization of Federal ... Retrieved July 22, 2019, from

https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
RISK MANAGEMENT FRAMEWORK OVERVIEW 18

Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). NIST SP 800-60

Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems

to Security Categories (United States, National Institute of Standards and Technology,

Department of Commerce). Retrieved July 22, 2019, from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf