The Risk Management Framework (RMF) is a set of criteria that dictate how the United States government IT systems must be architected, secured, and monitored.
Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. Today, the National Institute of Standards and Technology (NIST) maintains NIST and provides a solid foundation for any data security strategy.
The RMF builds on several previous risk management frameworks and includes several independent processes and systems. It requires that firms implement secure data governance systems and perform threat modeling to identify cyber risk areas.
In this guide, we’ll take you through everything you need to know about the RMF. We’ll break down the components of the framework in several sections:
- What Comprises the RMF?
- The 5 Risk Management components
- The 6 RMF steps
- The benefits of the RMF for businesses
- How Varonis can help you become RMF compliant
- What Comprises the Risk Management Framework?
The general concept of “risk management” and the “risk management framework” might appear to be quite similar, but it is important to understand the distinction between the two. The risk management process is specifically detailed by NIST in several subsidiary frameworks.
The most important is the elegantly titled “NIST SP 800-37 Rev.1”, which defines the RMF as a 6-step process to architect and engineer a data security process for new IT systems, and suggests best practices and procedures each federal agency must follow when enabling a new system.
In addition to the primary document SP 800-37, the RMF uses supplemental documents SP 800-30, SP 800-53, SP 800-53A, and SP 800-137:
NIST SP 800-30, entitled Guide for Conducting Risk Assessments, provides an overview of how risk management fits into the system development life cycle (SDLC) and describes how to conduct risk assessments and how to mitigate risks.
NIST SP 800-37 discusses the risk management framework itself and contains much of the information we’ll cover in the remainder of this guide.
Finally, NIST SP 800-39, titled Managing Information Security Risk, defines the multi-tiered, organization-wide approach to risk management crucial for reaching compliance with the RMF.
The 5 Risk Management Components
When getting started with the RMF, it can be useful to break the risk management requirements into different categories. These categories provide a way of working toward an effective risk management system, from identifying the most critical risks you face to how you will mitigate them.
The first, and arguably the most important, part of the RMF is to perform risk identification. NIST says, “the typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition.” During this step, you will brainstorm all the possible risks you can imagine across all of your systems and then prioritize them using different factors:
- Threats are events that could potentially harm the organization by intrusion, destruction, or disclosure.
- Vulnerabilities are weaknesses in the IT systems, security, procedures, and controls that can be exploited by bad actors (internal or external).
- Impact is a measurement of how severe the harm to the organization would be if a particular vulnerability or threat is compromised.
- Likelihood is a measurement of the risk factor based on the probability of an attack on a specific vulnerability.
- Predisposing conditions are a specific factor inside the organization that either increases or decreases the impact or likelihood that a vulnerability will come into play.
Risk Measurement and Assessment
Once you have identified the threats, vulnerabilities, impact, likelihood, and predisposing conditions, you can calculate and rank the risks your organization needs to address.
Organizations take the previous ranked list and start to figure out how to mitigate the threats from the greatest to the least. At some point in the list, the organization can decide that risks below this level are not worth addressing, either because there is little likelihood of that threat getting exploited, or if there are too many greater threats to manage immediately to fit the low threats into the work plan.
Risk Reporting and Monitoring
The RMF requires that organizations maintain a list of known risks and monitor known risks for compliance with the policies. Statistics on data breaches indicate that many companies still do not report all of the successful attacks they are exposed to, which could impact their peers.
Finally, all of the steps above should be codified into a risk governance system.
The 6 Risk Management Framework (RMF) Steps
At the broadest level, RMF requires companies to identify which system and data risks they are exposed to and implement reasonable measures to mitigate them. The RMF breaks down these objectives into six interconnected but separate stages.
1. Categorize Information Systems
- Use NIST standards to categorize information and systems so you can provide an accurate risk assessment of those systems.
- NIST tells you what kinds of systems and information you should include.
- And what level of security you need to implement based on the categorization.
References: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; Special Publication 800-60 Rev. 1 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories
2. Select Security Controls
Select the appropriate security controls from the NIST publication 800-53 to “facilitate a more consistent, comparable, and repeatable approach for selecting and specifying security controls for systems.”
References: Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations ed. note the updated version of 800-53 goes into effect on September 23, 2021. Stay tuned for details.
3. Implement Security Controls
Put the controls you selected in the previous step in place and document all the processes and procedures you need to maintain their operation.
References: Multiple publications provide best practices to implement security controls. Check out this page to search for them.
4. Assess Security Controls
Make sure the security controls you implemented are working the way they need to so you can limit the risks to your operation and data.