Mapping Out the NIST Risk Management Framework (RMF)

The days of the DoD Information Assurance Certification and Accreditation Process (DIACAP) are phasing out. 

The DoD and all federal agencies are now using a new risk management framework (RMF) developed by the National Institute of Standards (NIST) in collaboration with the Office of the Director of National Intelligence, the DoD, and the Committee on National Security Systems. Compared to NIST’s fourth revision of the RMF, the current version contains 66 new base controls, 202 new control enhancements, and 131 new parameters to existing controls, helping focus efforts in satisfying Plans of Action and Milestones (POAMs).

This NIST RMF aims to change the Certification and Accreditation process into six steps that ensure security considerations are addressed early in the system development life cycle.

 

RMF vs. DIACAP

The RMF process is an improvement to DIACAP as it emphasizes:

1. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls.
2. Maintaining awareness of system security through enhanced continuous monitoring.
3. Providing essential information to the system owner to facilitate organizational risk decisions.

 

The 6 RMF Steps

Before diving into RMF implementation, you need to establish a robust base through preparation. It’s important to assess security controls alongside your organization’s objectives, common controls, regulatory requirements, and overall risk tolerance. Gathering all this information will let you establish clearly defined roles and a system security plan, which will be crucial to guarantee accountability later on. 

To ensure that your gathered data serves a purpose in the long run, it’s advisable to feed it into a comprehensive NIST cybersecurity framework, which lays out your organization’s approach to risk management, including methodologies used for risk assessment, monitoring, and reviews.

Also, keep in mind that implementing the NIST RMF will require the active involvement of all departments, not just IT. If you ensure that everyone can bring in their perspective early on, you can foster a culture of security while raising awareness of the issues you’re trying to address. In some cases, that may even require additional training.

You’ll also need a detailed inventory of all information systems within your organization, which may require significant effort, depending on your setup. Make sure to reserve time to document the interconnections between different systems so that all systems can later be appropriately classified based on risk exposure.

The six steps of the RMF process (Categorize, Select, Implement, Assess, Authorize, and Monitor) are briefly explained below to help you understand the overall process.

 

1) Categorization

After gathering all the information about your system setup and the goals you’d like it to achieve, it’s time to sift through your findings. In this phase, the information system and the information type it processes, stores, and transmits are categorized based on an impact analysis. Instructions on how to categorize systems are provided in the Federal Information Processing Standards (FIPS) Publication 199 and NIST Special Publication (SP) 800-60.

 

2) Selection

With your categorization done, you are getting closer to being able to use your system. The information from categorization is used in selecting an initial set of baseline security controls for the information system. The selection process entails tailoring and supplementing the baseline security controls based on an assessment of operational risk and local conditions. Instructions on selecting controls are provided in FIPS 200 and NIST SP 800-53.

 

3) Implementation of controls

In this stage, security engineers and information assurance professionals shine as they implement selected security controls. The controls are also employed within the information system and its environment of operation.

 

4) Assessment

Once security engineers and IA professionals have implemented security controls, appropriate security assessment procedures are employed. These procedures determine the extent to which the controls are correctly implemented, operating as intended, and producing the desired outcome in meeting the security and RMF compliance requirements for the system. Guidelines on assessing controls are provided in NIST SP 800-53A.

 

5) Authorization

During the next stage, you’ll start using your system. Based on the results derived from the risk assessment of the implemented controls, executives can assess the cyber risk to organizational operations, assets, individuals, other organizations, and the Nation. This assessment enables the decision that the risk resulting from the operation of the information system is acceptable. Guidelines on authorizing controls are provided in NIST SP 800-37.

 

6) Continuous Monitoring

Once an information system is authorized and deployed, the security controls are monitored on an ongoing basis. That includes: 

• Assessing control effectiveness.
• Documenting changes to the system or its environment of operation.
• Conducting security impact analyses of associated changes.
• Reporting the system’s security state to designated organizational officials. 

Guidelines on monitoring information systems are available in NIST SP 800-53A.

With DIACAP no longer being the standard and RMF here to stay, agencies across the Federal Government should endeavor to start implementing the prescribed six steps as early in the system development life cycle as possible. That way, it’s easier to ensure compliance with FISMA and mitigate the risk of operating an information system. 

Check back with us periodically for more on risk management activities or sign up for our newsletter!