Understanding the NIST Risk Management Framework: 800-37 Rev. 2

UnderstandingThe NIST Risk Management
Framework – NIST SP 800-37 Revision 2
DeniseTawwab, CISSP, CCSK
Information Security Risk and Compliance Consultant
www.denisetawwab.com
919.339.2253 1
June 2-5, 2019 | Myrtle Beach, SC

DeniseTawwab, CISSP
What We Will Cover in This Section
 Background of NIST RMF
 Target Audience
 NIST 800-37 Fundamentals
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 2

DeniseTawwab, CISSP
BACKGROUND
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND
ORGANIZATIONS
3

DeniseTawwab, CISSP
Joint Task Force Transformation Initiative (JTFTI)
 The JTITI InteragencyWorking Group came together to produce a unified
information security framework for the federal government.
 JTFTI members came from:
 National Institute of Standards and Technology (NIST)
 Department of Defense (DOD),
 Office of the Director of National Intelligence (ODNI), and
 Committee on National Security Systems (CNSS)
 JTFTI produced 5 core NIST FISMA documents that define the risk management
process, develop the risk management framework (RMF) to improve information
security, and encourage reciprocity among organizations.

DeniseTawwab, CISSP
5 Core Documents
 NIST SP 800-39, Managing Information Security Risk
 NIST SP 800-30, Guide for Conducting Risk Assessments
 NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
 NIST SP 800-53, Recommended Security Controls for Federal Information Systems
 NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
and Organizations

DeniseTawwab, CISSP
The NIST Risk Management Framework (RMF)
The RMF provides a dynamic and flexible approach to
 effectively manage information security and privacy risks
 in diverse environments
 with complex and sophisticated threats, changing missions, and system
vulnerabilities.

DeniseTawwab, CISSP
The NIST Risk Management Framework (RMF)
The NIST Risk Management Framework emphasizes risk management by:
 Building security and privacy capabilities into information systems throughout the
Systems Development Life Cycle (SDLC);
 Maintaining awareness of the security and privacy posture of information systems on
an ongoing basis through continuous monitoring processes;
 Providing information to senior leaders and executives to facilitate decisions
regarding the acceptance of risk to organizational operations and assets, individuals,
other organizations, and the Nation arising from the operation and use of systems.

DeniseTawwab, CISSP
8 Goals of the RMF (1 of 2)
1. Provides a repeatable process designed to promote the protection of information
and information systems commensurate with risk.
2. Emphasizes organization-wide preparation necessary to manage security and privacy
risks;
3. Facilitates the categorization of information and systems; the selection,
implementation, assessment, and monitoring of controls; and the authorization of
information systems and common controls.
4. Promotes near real-time risk management and ongoing system and control
authorization through the implementation of robust continuous monitoring
processes;

DeniseTawwab, CISSP
8 Goals of the RMF (2 of 2)
5. Encourages the use of automation to provide senior leaders with the necessary
information to make cost-effective, risk-based decisions for information systems
supporting their missions and business functions;
6. Facilitates the seamless integration of security and privacy requirements and
controls into enterprise architecture, SDLC, acquisition processes, and systems
engineering processes;
7. Connects risk management processes at the organization and mission/business
process levels to risk management processes at the information system level via a
risk executive (function);
8. Establishes responsibility and accountability for controls implemented within
information systems and inherited by those systems.

DeniseTawwab, CISSP
Reciprocity
 Reciprocity is an agreement among participating organizations to accept each
other’s security and privacy assessment results, to reuse system resources, or to
accept each other’s assessed security and privacy posture to share information.

DeniseTawwab, CISSP
Communication between C-Suite and Implementers
and Operators
Privacy Risk
Management
Supply Chain Risk Management
Security Risk
Management
Alignment with Security
Engineering Processes
RMF
2.0
Alignment with NIST
Cybersecurity Framework

DeniseTawwab, CISSP
RMF Target Audience (2 of 2)
 People responsible for conducting security or privacy assessments and for
monitoring information systems (control assessors, auditors, and system owners).
 People with security or privacy implementation and operational responsibilities
(system owners, common control providers, information owners/stewards, mission
or business owners, security or privacy architects, and systems security or privacy
engineers).

DeniseTawwab, CISSP
NIST 800-37 FUNDAMENTALS
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND
ORGANIZATIONS
14

DeniseTawwab, CISSP
What We Will Cover – Fundamentals
 Organization-Wide Risk Management
 Information Security and Privacy Under the RMF
 System and System Elements
 Control Allocation
 Security and Privacy Posture
 Supply Chain Risk Management

DeniseTawwab, CISSP
Organization-Wide Risk Management
Managing information system-related security and privacy risks is a complex
undertaking that requires the involvement of the entire organization –
 from senior leaders providing the strategic vision and top-level goals and objectives
for the organization,
 to mid-level leaders planning and managing projects,
 to individuals developing, implementing, operating, and maintaining the systems
supporting the organization’s missions and business functions.

DeniseTawwab, CISSP
Organization-Wide Risk Management
Risk management is a holistic activity that is fully integrated into every aspect of the
organization including:
 the mission and business planning activities,
 the enterprise architecture,
 the SDLC processes, and
 the system engineering activities.
Security and Privacy requirements are clearly articulated and communicated to each
organizational entity to help ensure mission and business success.

DeniseTawwab, CISSP
The 3 Tiers of Organization-Wide Risk Management
Risk is addressed at the 3 tiers of the organization:
 Level 1 – Organization level
 Level 2 – Mission/business process level
 Level 3 – Information system or System Component level.
See NIST SP 800-39 for guidance on organization-wide risk management.

DeniseTawwab, CISSP
Overview of Activities at Levels 1 and 2
 The activities conducted at Levels 1(organization) and 2 (mission/business process)
are critical to preparing the organization to execute the RMF.
 Preparation involves a wide range of activities that go beyond managing the
security and privacy risks associated with operating or using specific systems and
includes activities that are essential to managing security and privacy risks
appropriately throughout the organization.

DeniseTawwab, CISSP
Overview of Activities at Levels 1 and 2
Decisions about how to manage security and privacy risks at the system level (Level 3) cannot
be made in isolation. Such decisions are closely linked to decisions regarding:
 Mission/business objectives of the organization;
 Modernization of information systems, components, and services to adopt new and
innovative technologies;
 Enterprise architecture and the need to manage and reduce the complexity of systems
through consolidation, optimization, and standardization (i.e., reducing the attack surface and
technology footprint exploitable by adversaries);
 Allocation of resources to ensure the organization can conduct its missions and business
operations with a high degree of effectiveness, efficiency, and cost-effectiveness.

DeniseTawwab, CISSP
Levels 1 and 2 Preparation Activities (1 of 4)
1. Assigning key roles and responsibilities for risk management processes.
2. Establishing a risk management strategy and organizational risk tolerance.
3. Identifying the missions, business functions, and business processes the information
system is intended to support.
4. Identifying key stakeholders that have an interest in the information system.
5. Identifying and prioritizing assets (including information assets).

DeniseTawwab, CISSP
6. Understanding threats to information systems, organizations, and individuals..
7. Conducting risk assessments.
8. Identifying and prioritizing key stakeholder protection needs and security and
privacy requirements.
9. Determining systems-of-interest (i.e., authorization boundaries).

DeniseTawwab, CISSP
10. Defining information systems in terms of the enterprise architecture.
11. Developing the security and privacy architectures that include controls suitable for
inheritance by organizational systems (common controls).
12. Identifying, aligning, and de-conflicting requirements.
13. Allocating both security and privacy requirements to information systems and
environments in which those systems operate.

DeniseTawwab, CISSP

DeniseTawwab, CISSP
Overview of Level 3 Activities (Information Systems)
 In contrast to Level 1 and 2 activities that prepare the organization for the execution
of the RMF, Level 3 addresses risk from an Information System perspective and is
guided and informed by the risk decisions at the organization and mission/business
process levels.
 The risk decisions at Levels 1 and 2 impact the selection and implementation of
controls at the system level.
 System security and privacy requirements are satisfied by the selection and the
implementation of controls from NIST SP 800-53.

DeniseTawwab, CISSP
NIST SP 800-53 Controls
 Controls are traceable to the security and privacy requirements established
by the organization to ensure that there is
 transparency in the development of security and privacy solutions and that the
 requirements are fully addressed during system design, development, implementation,
and maintenance.

DeniseTawwab, CISSP
THE 7 STEPS INTHE RISK MANAGEMENT FRAMEWORK
Prepare, Categorize, Select, Implement,Assess,Authorize, Monitor
27NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

28Risk Management Framework (NIST SP 800-37 Rev. 2)NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

DeniseTawwab, CISSP
More about the RMF Steps
 The steps in the RMF can also be aligned with the systems security engineering processes
defined in NIST SP 800-60,Vol I.
 The steps can be carried out in any order.
 If executing the RMF for the first time, you will likely carry out the steps in sequential order.
 Once the system is in the operation and maintenance phase of the SDLC (as part of the
continuous monitoring step) events may dictate non-sequential execution.
 The risk management approach selected by an organization may vary on a continuum from
top-down to decentralized consensus among peers; however, organizations (in all cases) use
a consistent approach that is applied to risk management processes across the enterprise
from the organization level to the information system level.
 Senior officials must identify and secure the needed resources to complete the 800-37 risk
management tasks and ensure that those resources are made available to the appropriate
personnel.

DeniseTawwab, CISSP
 2.5 - Security and Privacy Posture
 2.6 - Supply Chain Risk Management

DeniseTawwab, CISSP
INFORMATION SECURITY & PRIVACY UNDER THE RMF
The 2016 Revision of OMB Circular A-130 Requires Organizations to Integrate Privacy into the RMF Process

DeniseTawwab, CISSP
INFORMATION SECURITY PROGRAMS VS. PRIVACY PROGRAMS
Information Security Programs
Information Security programs are responsible for
protecting information and information systems
from unauthorized access, use, disclosure,
modification, or destruction in order to provide
confidentiality, integrity, and availability.
Privacy Programs
Privacy programs are responsible for ensuring
compliance with applicable privacy requirements
and for managing the dissemination, disclosure, or
disposal (collectively referred to as “processing”)
of PII.
Privacy programs are responsible for managing the
risks to individuals that may result from the
creation, collection, use, and retention of PII; the
inadequate quality or integrity of PII; and the lack
of appropriate notice, transparency, or
participation.

DeniseTawwab, CISSP
The Relationship of Information Security Programs and Privacy
Programs Under the RMF
 The objectives of the InfoSec and Privacy programs are overlapping and complementary
(CIA).
 When a system processes PII, the information security program and privacy program have a
shared responsibility for managing the risks to individuals that may arise from unauthorized
system activity or behavior. This requires the 2 programs to collaborate when selecting,
implementing, assessing,and monitoring security controls.
 However, protecting individuals’ privacy cannot be achieved solely by securing PII. Not all
privacy risks arise from unauthorized system activity or behavior, such as
unauthorized access or disclosure of PII. Some privacy risks may result from
authorized activity that is beyond the scope of information security.

DeniseTawwab, CISSP
Privacy Programs Implement,Assess, and Monitor Privacy Controls
 To ensure compliance with applicable privacy requirements and to manage privacy
risks, Privacy Programs also select, implement, assess, and monitor privacy controls.
 Privacy Controls are listed in SP 800-53 Appendix J.
 Organizations manage risk under the RMF from authorized processing of PII and
from unauthorized system activity or behavior.

DeniseTawwab, CISSP

DeniseTawwab, CISSP
SYSTEM AND SYSTEM ELEMENTS

DeniseTawwab, CISSP
Systems and the SDLC
 It is important to describe information systems in the context of the 5-phase SDLC
and how security and privacy capabilities are implemented within the basic
components of those systems. (Initiation, Development/Acquisition, Implementation,
Operation/Maintenance, Disposal)
 Take a broad view of the entire SDLC to provide a contextual relationship and
linkage to architectural and engineering concepts that allow security and privacy
issues to be addressed at the appropriate level of detail to help ensure that such
capabilities are achieved.

DeniseTawwab, CISSP
What is an Information System?
 Federal law defines an information system as a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of information.
 ISO/IEC/IEEE 15288 defines a system as a set of interacting elements organized to
achieve one or more stated purposes.
 Every system operates within an environment that influences the system and its
operation.

DeniseTawwab, CISSP
System Elements
 System elements include technology or machine elements, human elements, and
physical or environmental elements.
 Individual system elements or a combination of system elements may satisfy stated
system requirements and may be implemented via hardware, software, or
firmware; physical structures or devices; or people, processes, policies, and
procedures.
 Interconnections between system elements allow those elements to interact to
produce a capability as specified by the system requirements.

DeniseTawwab, CISSP
System-of-Interest
 The set of system elements, system element interconnections, and the
environment in which the system operates.
 Determines the authorization boundary for the execution of the RMF.
 May be supported by one or more enabling systems that provide support during
the system life cycle.
The enabling systems are NOT within the authorization boundary of the system-of-interest
and do not necessarily exist in the operational environment of the system-of-interest.

DeniseTawwab, CISSP
The RMF is Applied to an Authorization Boundary
 The RMF is applied to an authorization boundary that can be conceptualized as a
system-of-interest – NOT to individual system elements.
 Organizations can employ component-level assessments for system elements and
can take advantage of the assessment results generated during that process to
support risk-based decision making for the system.
Example: The Common Criteria evaluation provides independent component-level
assessments for IT products.

ConceptualView of the System-of-Interest

DeniseTawwab, CISSP
Risk Management Activities and the SDLC
 Risk management activities begin early in the SDLC and continue throughout.
 Help to shape the security and privacy capabilities of the system.
 Ensure that the necessary controls are implemented.
 Ensure that security and privacy risks are being adequately addressed on an ongoing
basis.
 Ensure that the authorizing officials understand the current security and privacy
posture of the system in order to accept the risk.
Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal

DeniseTawwab, CISSP

DeniseTawwab, CISSP
CONTROL ALLOCATION
Common, System-Specific, and Hybrid Controls

DeniseTawwab, CISSP
3 Types of Controls
 System-Specific controls provide a security or privacy capability for an
information system.
 Common controls provide a security or privacy capability for multiple systems.
 Hybrid controls have system-specific and common characteristics.

DeniseTawwab, CISSP
What is Control Allocation?
 Control allocation is the process employed to determine whether controls are
system-specific, common, or hybrid AND to assign the controls to the specific system
elements responsible for providing a security or privacy capability.
 Controls are allocated to a system or an organization consistent with the enterprise
architecture and security or privacy architecture.
 Security control allocation also occurs during the SDLC process as part of
requirements engineering.
See NIST SP 800-160Volume 1 for systems security engineering activities associated with system life cycle
processes to achieve trustworthy, secure components, systems, and services.

DeniseTawwab, CISSP
Why Use Common Controls?
 Organizations are encouraged to identify and implement common controls that can
support multiple information systems as a common protection capability.
 When common controls are used to support a specific system, they are referenced
by that system as inherited controls.
 Common controls promote cost-effective, efficient, and consistent security and
privacy safeguards across the organization.
 Common controls can simplify risk management processes and activities.

DeniseTawwab, CISSP
Allocation Assigns Responsibility and Accountability
 Allocating controls to a system as system-specific controls, hybrid controls, or
common controls, assigns responsibility and accountability to specific
organizational entities for the:
 development,
 implementation,
 assessment,
 authorization, and
 monitoring of those controls.

DeniseTawwab, CISSP
Control Allocation Produces Risk-Related Information
Control Allocation produces risk-related information for senior leaders about the
security and privacy posture of systems and the business processes supported by those
systems.
 System Security/Privacy Plans (SSP)
 System Security/Privacy Assessment Report (SAR)
 System Plan of Action and Milestones (POAM)
 Common Controls Security/Privacy Plans, Security/Privacy Assessment Report, and
Plan of Action and Milestones (POAM)
This information supports authorization and ongoing authorization decisions.

51
ORGANIZATION-WIDE CONTROL ALLOCATION

DeniseTawwab, CISSP

DeniseTawwab, CISSP
SECURITY AND PRIVACY POSTURE

DeniseTawwab, CISSP
What is the Security and Privacy Posture?
The security and privacy posture represents the STATUS of the information systems
and information resources within an organization based on information assurance
resources and the capabilities in place to:
 manage the defense of the organization;
 comply with privacy requirements and manage privacy risks; and
 react as the situation changes.
Understanding the security and privacy posture of organizational information systems
and the common controls that are designated for inheritance by those systems is key to
the authorizing officials ability to make risk-based decisions.

DeniseTawwab, CISSP
Continuous Monitoring and Assessing of Controls
 The Security and Privacy posture is determined on an ongoing basis by assessing and
continuously monitoring implemented controls.
 The control assessments and monitoring activities provide evidence that the
controls are implemented correctly, operating as intended, and satisfying the security
and privacy requirements in response to business requirements, laws, regulations,
policies, or standards.
 Authorization officials use the security and privacy posture to determine if the risk
are acceptable based on the organization’s risk management strategy and
organizational risk tolerance.
See RMF Prepare-Organization Level step,Task P-2.

DeniseTawwab, CISSP

DeniseTawwab, CISSP
SUPPLY CHAIN RISK MANAGEMENT

DeniseTawwab, CISSP
Why Supply Chain Risk Management is Needed
 Organizations are becoming increasingly reliant on external providers for component
products, systems, and services needed to carry out important business functions.
 Organizations remain responsible and accountable for the risk incurred when using
external suppliers.

DeniseTawwab, CISSP
Supply Chain Threats
 Insertion of Counterfeits
 Unauthorized Production
 Tampering
 Theft
 Insertion of Malicious software and hardware
 Shoddy manufacturing
 Poor development practices

DeniseTawwab, CISSP
Why Do We Have Supply Chain Risks?
 Decreased visibility into (and understanding of) how the technology acquired is
developed, integrated, and deployed.
 Limited knowledge and/or control of the processes, procedures, and practices used
to assure the integrity, security, resilience, and quality of the acquired products,
systems, and services.

DeniseTawwab, CISSP
Challenges to Managing Supply Chain Risk
 Defining the types of products, systems, and services that are outsourced.
 Describing how the products, systems, and services are protected in keeping with
the security and privacy requirements of the organization.
 Obtaining the necessary assurances that the risk arising from outsourcing is
avoided, mitigated, or accepted.

DeniseTawwab, CISSP
Develop a Supply Chain Risk Management Policy
 Guides and informs SCRM activities.
 Supports applicable organizational policies (acquisition and procurement, information
security and privacy, quality, supply chain, and logistics)
 Addresses the goals and objectives in the organization’s strategic plan, specific
missions and business functions, and the internal and external customer
requirements.
 Defines the integration points for SCRM with the risk management and the SDLC
processes.
 Defines SCRM-related roles and responsibilities, dependencies among those roles,
and interactions among the roles.

DeniseTawwab, CISSP

DeniseTawwab, CISSP
THE PROCESS – SUMMARY OFTHE RMF TASKS

DeniseTawwab, CISSP
The Structure of RMF Steps and Tasks
 Each STEP in the RMF has a purpose statement, a defined set of outcomes, and a set
of tasks that are carried out to achieve those outcomes.
 EachTASK contains a set of potential inputs needed to execute the task and a set of
potential outputs generated from task execution.
 Each task describes the phase of the SDLC where task execution takes place and the
risk management roles and responsibilities associated with the task.
 There is a discussion section and references to provide information on how to
effectively execute each task.

Task P-2 Risk Management Strategy
 Task 2 Establish a risk management strategy for the organization that includes a
determination of risk tolerance.
 Potential Inputs: Organizational mission statement; organizational policies; organizational
risk assumptions, constraints, priorities and trade-offs.
 Potential Outputs: Risk management strategy and statement of risk tolerance.
 Primary Responsibility: Head of Agency
 Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive
(Function); Chief Information Officer; Senior Agency Information Security Officer; Senior
Agency Official for Privacy.
 Discussion: Risk tolerance is the level or degree of risk or uncertainty that is acceptable to
an organization. Risk tolerance affects all components of the risk management process...
 References: NIST Special Publication 800-30; NIST Special Publication 800-39
(Organization Level); NIST Special Publication 800-160,Volume 1 (Risk Management,
Decision Management, Quality Assurance, Quality Management, Project Assessment and
Control Processes); NIST Special Publication 800-161;NIST Interagency Report 8062; NIST
Cybersecurity Framework (Core [Identify Function]).

DeniseTawwab, CISSP
68Risk Management Framework (NIST SP 800-37 Rev. 2)

DeniseTawwab, CISSP
7 Organization - Level PREPARE Tasks
 Task P-1: Risk Management Roles
 Task P-2: Risk Management Strategy
 Task P-3: Risk Assessment – Organization
 Task P-4: Organizationally-Tailored Control Baselines
 Task P-5: Common Control Identification
 Task P-6: Impact-Level Prioritization (optional)
 Task P-7: Continuous Monitoring Strategy

DeniseTawwab, CISSP
The Purpose of the PREPARE Step
 Carry out essential activities at the organization,mission and business
process, and information system levels of the organization
 To help prepare the organization to manage its security and privacy risks
 using the Risk Management Framework.

DeniseTawwab, CISSP
11 System-Level PREPARE Tasks
 Task P-8: Mission or Business Focus
 Task P-9: System Stakeholders
 Task P-10: Asset Identification
 Task P-11: Authorization Boundary
 Task P-12: Information Types
 Task P-13 Information Life Cycle
 Task P-14: Risk Assessment – System
 Task P-15: Requirements Definition
 Task P-16: Enterprise Architecture
 Task P-17: Requirements Allocation
 Task P-18: System Registration

72
NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2

DeniseTawwab, CISSP
Purpose of the Categorize Step
 The purpose of the categorize step is to inform organizational risk
management processes and tasks by determining the adverse impact
to organizational operations and assets, individuals,other organizations,
and the Nation with respect to the loss of confidentiality,integrity, and
availability of organizational systems and the information processed,
stored, and transmitted by those systems.

DeniseTawwab, CISSP
3 CATEGORIZE Tasks
 Task C-1: System Description
 Task C-2: Security Categorization
 Task C-3: Security Categorization Review and Approval

75

DeniseTawwab, CISSP
Purpose of the Select Step of the RMF
 The purpose of the Select step is to select, tailor, and document
the controls necessary to protect the information system and
organization commensurate with risk to organizational operations and
assets, individuals,other organizations,and the Nation.

DeniseTawwab, CISSP
6 SELECTTasks
 Task S-1: Control Selection
 Task S-2: Control Tailoring
 Task S-3: Control Allocation
 Task S-4: Documentation of Planned Control Implementations
 Task S-5: Continuous Monitoring Strategy – System
 Task S-6: Plan Review and Approval

78

DeniseTawwab, CISSP
Purpose of the Implement Step of the RMF
 The purpose of the Implement step is to implement the
controls in the security and privacy plans for the system and for
the organization and to document in a baseline configuration,
the specific details of the control implementation.

DeniseTawwab, CISSP
2 IMPLEMENTTasks
 Task I-1: Control Implementation
 Task I-2: Update Control Implementation Information

81

DeniseTawwab, CISSP
Purpose of the Assess Step of the RMF
 The purpose of the Assess step is to determine if the
controls selected for implementation are implemented
correctly, operating as intended, and producing the desired
outcome with respect to meeting the security and privacy
requirements for the system and the organization.

DeniseTawwab, CISSP
6 ASSESS Tasks
 Task A-1: Assessor Selection
 Task A-2: Assessment Plan
 Task A-3: Control Assessments
 Task A-4: Assessment Reports (Security and Privacy)
 Task A-5: Remediation Actions
 Task A-6: Plan of Action and Milestones

84
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS

DeniseTawwab, CISSP
Purpose of the Authorize Step of the RMF
 The purpose of the Authorize step is to provide
organizational accountability by requiring a senior management
official to determine if the security and privacy risk (including
supply chain risk) to organizational operations and assets,
individuals, other organizations, or the Nation based on the
operation of a system or the use of common controls, is
acceptable.

DeniseTawwab, CISSP
The 5 AUTHORIZETasks and Outcomes
 Task R-1: Authorization Package
 Task R-2: Risk Analysis and Determination
 Task R-3: Risk Response
 Task R-4: Authorization Decision
 Task R-5: Authorization Reporting

DeniseTawwab, CISSP
87

DeniseTawwab, CISSP
Purpose of the Monitor Step of the RMF
 The purpose of the Monitor step is to maintain an ongoing
situational awareness about the security and privacy posture of
the information system and the organization in support of risk
management decisions.

DeniseTawwab, CISSP
7 MONITOR Tasks and Outcomes
 Task M-1: System and Environment Changes
 Task M-2: Ongoing Assessments
 Task M-3: Ongoing Risk Response
 Task M-4: Authorization Updates
 Task M-5: Security and Privacy Posture Reporting
 Task M-6: Ongoing Authorization
 Task M-7: System Disposal

DeniseTawwab, CISSP
5 Core Documents
 NIST SP 800-39, Managing Information Security Risk
 NIST SP 800-30, Guide for Conducting Risk Assessments
 NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
 NIST SP 800-53, Recommended Security Controls for Federal Information Systems
 NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
and Organizations

UnderstandingThe NIST Risk Management
Framework – NIST SP 800-37 Revision 2
DeniseTawwab, CISSP, CCSK
Information Security Risk and Compliance Consultant
www.denisetawwab.com
919.339.2253 91
June 2-5, 2019 | Myrtle Beach, SC

Understanding the NIST Risk Management Framework: 800-37 Rev. 2

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Understanding the NIST Risk Management Framework: 800-37 Rev. 2

Ähnlich wie Understanding the NIST Risk Management Framework: 800-37 Rev. 2 (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Understanding the NIST Risk Management Framework: 800-37 Rev. 2