To help your company manage information security risk at the system level, NIST developed the Risk Management Framework (RMF). The RMF promotes the idea of real-time risk management and ongoing system authorization by using a continuous monitoring process.
The 6 steps that comprise the Risk Management Framework include:
- Security Categorization
- Security Control Selection
- Security Control Implementation
- Security Control Assessment
- System Authorization
- Security Control Monitoring
Step 1: Categorize
In the first step of the RMF you categorize the system in question and the information processed, stored, and transmitted by that system based on an impact analysis. You can find guidance on security categorization in FIPS 199 and NIST 800-60.
Step 2: Select
In the second step of the RMF, you select an initial set of baseline security controls for the system that are based on the security categorization. You also tailor and supplement the security control baseline as needed based on the environment the system operates in and your company’s risk assessment.
Step 3: Implement
In the third step, you implement the security controls that you selected. You also document how the controls are used within the system and its environment of operation. There are a number of NIST publications that provide detailed information on security control implementation. These publications are available at the NIST Computer Security Resource Center website.
Step 4: Assess
In the Assess step, you use appropriate assessment procedures to assess the security controls and determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A provides guidelines for developing assessment methods and procedures to determine security control effectiveness in federal systems.
Step 5: Authorize
Based on the results of a complete and through security assessment that the indicates the system is operating at an acceptable level of risk, you officially authorize the system to operate (or continue to operate).
Step 6: Monitor
The sixth step of the RMF is to continuously monitor the security controls in the system to ensure that they are effective over time as changes occur to the system and in the environment of operation. Your company will monitor the security controls in the system on an ongoing basis, including assessing control effectiveness, documenting changes to the system or operating environment, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated company officials. See NIST SP 800-137 for specific guidance on continuous monitoring.