Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Injustice - Developers Among Us (SciFiDevCon 2024)
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
1. UnderstandingThe NIST Risk Management
Framework – NIST SP 800-37 Revision 2
DeniseTawwab, CISSP, CCSK
Information Security Risk and Compliance Consultant
www.denisetawwab.com
919.339.2253 1
June 2-5, 2019 | Myrtle Beach, SC
2. DeniseTawwab, CISSP
What We Will Cover in This Section
Background of NIST RMF
Target Audience
NIST 800-37 Fundamentals
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 2
4. DeniseTawwab, CISSP
Joint Task Force Transformation Initiative (JTFTI)
The JTITI InteragencyWorking Group came together to produce a unified
information security framework for the federal government.
JTFTI members came from:
National Institute of Standards and Technology (NIST)
Department of Defense (DOD),
Office of the Director of National Intelligence (ODNI), and
Committee on National Security Systems (CNSS)
JTFTI produced 5 core NIST FISMA documents that define the risk management
process, develop the risk management framework (RMF) to improve information
security, and encourage reciprocity among organizations.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 4
5. DeniseTawwab, CISSP
5 Core Documents
NIST SP 800-39, Managing Information Security Risk
NIST SP 800-30, Guide for Conducting Risk Assessments
NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
and Organizations
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 5
6. DeniseTawwab, CISSP
The NIST Risk Management Framework (RMF)
The RMF provides a dynamic and flexible approach to
effectively manage information security and privacy risks
in diverse environments
with complex and sophisticated threats, changing missions, and system
vulnerabilities.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 6
7. DeniseTawwab, CISSP
The NIST Risk Management Framework (RMF)
The NIST Risk Management Framework emphasizes risk management by:
Building security and privacy capabilities into information systems throughout the
Systems Development Life Cycle (SDLC);
Maintaining awareness of the security and privacy posture of information systems on
an ongoing basis through continuous monitoring processes;
Providing information to senior leaders and executives to facilitate decisions
regarding the acceptance of risk to organizational operations and assets, individuals,
other organizations, and the Nation arising from the operation and use of systems.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 7
8. DeniseTawwab, CISSP
8 Goals of the RMF (1 of 2)
1. Provides a repeatable process designed to promote the protection of information
and information systems commensurate with risk.
2. Emphasizes organization-wide preparation necessary to manage security and privacy
risks;
3. Facilitates the categorization of information and systems; the selection,
implementation, assessment, and monitoring of controls; and the authorization of
information systems and common controls.
4. Promotes near real-time risk management and ongoing system and control
authorization through the implementation of robust continuous monitoring
processes;
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 8
9. DeniseTawwab, CISSP
8 Goals of the RMF (2 of 2)
5. Encourages the use of automation to provide senior leaders with the necessary
information to make cost-effective, risk-based decisions for information systems
supporting their missions and business functions;
6. Facilitates the seamless integration of security and privacy requirements and
controls into enterprise architecture, SDLC, acquisition processes, and systems
engineering processes;
7. Connects risk management processes at the organization and mission/business
process levels to risk management processes at the information system level via a
risk executive (function);
8. Establishes responsibility and accountability for controls implemented within
information systems and inherited by those systems.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 9
10. DeniseTawwab, CISSP
Reciprocity
Reciprocity is an agreement among participating organizations to accept each
other’s security and privacy assessment results, to reuse system resources, or to
accept each other’s assessed security and privacy posture to share information.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 10
11. DeniseTawwab, CISSP
Communication between C-Suite and Implementers
and Operators
Privacy Risk
Management
Supply Chain Risk Management
Security Risk
Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 11
Alignment with Security
Engineering Processes
RMF
2.0
Alignment with NIST
Cybersecurity Framework
12. DeniseTawwab, CISSP
RMF Target Audience (2 of 2)
People responsible for conducting security or privacy assessments and for
monitoring information systems (control assessors, auditors, and system owners).
People with security or privacy implementation and operational responsibilities
(system owners, common control providers, information owners/stewards, mission
or business owners, security or privacy architects, and systems security or privacy
engineers).
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 13
13. DeniseTawwab, CISSP
NIST 800-37 FUNDAMENTALS
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND
ORGANIZATIONS
14
14. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 15
15. DeniseTawwab, CISSP
Organization-Wide Risk Management
Managing information system-related security and privacy risks is a complex
undertaking that requires the involvement of the entire organization –
from senior leaders providing the strategic vision and top-level goals and objectives
for the organization,
to mid-level leaders planning and managing projects,
to individuals developing, implementing, operating, and maintaining the systems
supporting the organization’s missions and business functions.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 16
16. DeniseTawwab, CISSP
Organization-Wide Risk Management
Risk management is a holistic activity that is fully integrated into every aspect of the
organization including:
the mission and business planning activities,
the enterprise architecture,
the SDLC processes, and
the system engineering activities.
Security and Privacy requirements are clearly articulated and communicated to each
organizational entity to help ensure mission and business success.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 17
17. DeniseTawwab, CISSP
The 3 Tiers of Organization-Wide Risk Management
Risk is addressed at the 3 tiers of the organization:
Level 1 – Organization level
Level 2 – Mission/business process level
Level 3 – Information system or System Component level.
See NIST SP 800-39 for guidance on organization-wide risk management.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 18
18. DeniseTawwab, CISSP
Overview of Activities at Levels 1 and 2
The activities conducted at Levels 1(organization) and 2 (mission/business process)
are critical to preparing the organization to execute the RMF.
Preparation involves a wide range of activities that go beyond managing the
security and privacy risks associated with operating or using specific systems and
includes activities that are essential to managing security and privacy risks
appropriately throughout the organization.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 19
19. DeniseTawwab, CISSP
Overview of Activities at Levels 1 and 2
Decisions about how to manage security and privacy risks at the system level (Level 3) cannot
be made in isolation. Such decisions are closely linked to decisions regarding:
Mission/business objectives of the organization;
Modernization of information systems, components, and services to adopt new and
innovative technologies;
Enterprise architecture and the need to manage and reduce the complexity of systems
through consolidation, optimization, and standardization (i.e., reducing the attack surface and
technology footprint exploitable by adversaries);
Allocation of resources to ensure the organization can conduct its missions and business
operations with a high degree of effectiveness, efficiency, and cost-effectiveness.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 20
20. DeniseTawwab, CISSP
Levels 1 and 2 Preparation Activities (1 of 4)
1. Assigning key roles and responsibilities for risk management processes.
2. Establishing a risk management strategy and organizational risk tolerance.
3. Identifying the missions, business functions, and business processes the information
system is intended to support.
4. Identifying key stakeholders that have an interest in the information system.
5. Identifying and prioritizing assets (including information assets).
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 21
21. DeniseTawwab, CISSP
Levels 1 and 2 Preparation Activities (1 of 4)
6. Understanding threats to information systems, organizations, and individuals..
7. Conducting risk assessments.
8. Identifying and prioritizing key stakeholder protection needs and security and
privacy requirements.
9. Determining systems-of-interest (i.e., authorization boundaries).
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 22
22. DeniseTawwab, CISSP
Levels 1 and 2 Preparation Activities (2 of 2)
10. Defining information systems in terms of the enterprise architecture.
11. Developing the security and privacy architectures that include controls suitable for
inheritance by organizational systems (common controls).
12. Identifying, aligning, and de-conflicting requirements.
13. Allocating both security and privacy requirements to information systems and
environments in which those systems operate.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 23
23. DeniseTawwab, CISSP
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 24
24. DeniseTawwab, CISSP
Overview of Level 3 Activities (Information Systems)
In contrast to Level 1 and 2 activities that prepare the organization for the execution
of the RMF, Level 3 addresses risk from an Information System perspective and is
guided and informed by the risk decisions at the organization and mission/business
process levels.
The risk decisions at Levels 1 and 2 impact the selection and implementation of
controls at the system level.
System security and privacy requirements are satisfied by the selection and the
implementation of controls from NIST SP 800-53.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 25
25. DeniseTawwab, CISSP
NIST SP 800-53 Controls
Controls are traceable to the security and privacy requirements established
by the organization to ensure that there is
transparency in the development of security and privacy solutions and that the
requirements are fully addressed during system design, development, implementation,
and maintenance.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 26
26. DeniseTawwab, CISSP
THE 7 STEPS INTHE RISK MANAGEMENT FRAMEWORK
Prepare, Categorize, Select, Implement,Assess,Authorize, Monitor
27NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
27. 28Risk Management Framework (NIST SP 800-37 Rev. 2)NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
28. DeniseTawwab, CISSP
More about the RMF Steps
The steps in the RMF can also be aligned with the systems security engineering processes
defined in NIST SP 800-60,Vol I.
The steps can be carried out in any order.
If executing the RMF for the first time, you will likely carry out the steps in sequential order.
Once the system is in the operation and maintenance phase of the SDLC (as part of the
continuous monitoring step) events may dictate non-sequential execution.
The risk management approach selected by an organization may vary on a continuum from
top-down to decentralized consensus among peers; however, organizations (in all cases) use
a consistent approach that is applied to risk management processes across the enterprise
from the organization level to the information system level.
Senior officials must identify and secure the needed resources to complete the 800-37 risk
management tasks and ensure that those resources are made available to the appropriate
personnel.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 29
29. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
2.5 - Security and Privacy Posture
2.6 - Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 30
30. DeniseTawwab, CISSP
INFORMATION SECURITY & PRIVACY UNDER THE RMF
The 2016 Revision of OMB Circular A-130 Requires Organizations to Integrate Privacy into the RMF Process
31NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
31. DeniseTawwab, CISSP
INFORMATION SECURITY PROGRAMS VS. PRIVACY PROGRAMS
Information Security Programs
Information Security programs are responsible for
protecting information and information systems
from unauthorized access, use, disclosure,
modification, or destruction in order to provide
confidentiality, integrity, and availability.
Privacy Programs
Privacy programs are responsible for ensuring
compliance with applicable privacy requirements
and for managing the dissemination, disclosure, or
disposal (collectively referred to as “processing”)
of PII.
Privacy programs are responsible for managing the
risks to individuals that may result from the
creation, collection, use, and retention of PII; the
inadequate quality or integrity of PII; and the lack
of appropriate notice, transparency, or
participation.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 32
32. DeniseTawwab, CISSP
The Relationship of Information Security Programs and Privacy
Programs Under the RMF
The objectives of the InfoSec and Privacy programs are overlapping and complementary
(CIA).
When a system processes PII, the information security program and privacy program have a
shared responsibility for managing the risks to individuals that may arise from unauthorized
system activity or behavior. This requires the 2 programs to collaborate when selecting,
implementing, assessing,and monitoring security controls.
However, protecting individuals’ privacy cannot be achieved solely by securing PII. Not all
privacy risks arise from unauthorized system activity or behavior, such as
unauthorized access or disclosure of PII. Some privacy risks may result from
authorized activity that is beyond the scope of information security.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 33
33. DeniseTawwab, CISSP
Privacy Programs Implement,Assess, and Monitor Privacy Controls
To ensure compliance with applicable privacy requirements and to manage privacy
risks, Privacy Programs also select, implement, assess, and monitor privacy controls.
Privacy Controls are listed in SP 800-53 Appendix J.
Organizations manage risk under the RMF from authorized processing of PII and
from unauthorized system activity or behavior.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 34
34. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 35
35. DeniseTawwab, CISSP
SYSTEM AND SYSTEM ELEMENTS
36NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
36. DeniseTawwab, CISSP
Systems and the SDLC
It is important to describe information systems in the context of the 5-phase SDLC
and how security and privacy capabilities are implemented within the basic
components of those systems. (Initiation, Development/Acquisition, Implementation,
Operation/Maintenance, Disposal)
Take a broad view of the entire SDLC to provide a contextual relationship and
linkage to architectural and engineering concepts that allow security and privacy
issues to be addressed at the appropriate level of detail to help ensure that such
capabilities are achieved.
37NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
37. DeniseTawwab, CISSP
What is an Information System?
Federal law defines an information system as a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of information.
ISO/IEC/IEEE 15288 defines a system as a set of interacting elements organized to
achieve one or more stated purposes.
Every system operates within an environment that influences the system and its
operation.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 38
38. DeniseTawwab, CISSP
System Elements
System elements include technology or machine elements, human elements, and
physical or environmental elements.
Individual system elements or a combination of system elements may satisfy stated
system requirements and may be implemented via hardware, software, or
firmware; physical structures or devices; or people, processes, policies, and
procedures.
Interconnections between system elements allow those elements to interact to
produce a capability as specified by the system requirements.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 39
39. DeniseTawwab, CISSP
System-of-Interest
The set of system elements, system element interconnections, and the
environment in which the system operates.
Determines the authorization boundary for the execution of the RMF.
May be supported by one or more enabling systems that provide support during
the system life cycle.
The enabling systems are NOT within the authorization boundary of the system-of-interest
and do not necessarily exist in the operational environment of the system-of-interest.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 40
40. DeniseTawwab, CISSP
The RMF is Applied to an Authorization Boundary
The RMF is applied to an authorization boundary that can be conceptualized as a
system-of-interest – NOT to individual system elements.
Organizations can employ component-level assessments for system elements and
can take advantage of the assessment results generated during that process to
support risk-based decision making for the system.
Example: The Common Criteria evaluation provides independent component-level
assessments for IT products.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 41
41. ConceptualView of the System-of-Interest
42NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
42. DeniseTawwab, CISSP
Risk Management Activities and the SDLC
Risk management activities begin early in the SDLC and continue throughout.
Help to shape the security and privacy capabilities of the system.
Ensure that the necessary controls are implemented.
Ensure that security and privacy risks are being adequately addressed on an ongoing
basis.
Ensure that the authorizing officials understand the current security and privacy
posture of the system in order to accept the risk.
Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 43
43. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 44
45. DeniseTawwab, CISSP
3 Types of Controls
System-Specific controls provide a security or privacy capability for an
information system.
Common controls provide a security or privacy capability for multiple systems.
Hybrid controls have system-specific and common characteristics.
46NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
46. DeniseTawwab, CISSP
What is Control Allocation?
Control allocation is the process employed to determine whether controls are
system-specific, common, or hybrid AND to assign the controls to the specific system
elements responsible for providing a security or privacy capability.
Controls are allocated to a system or an organization consistent with the enterprise
architecture and security or privacy architecture.
Security control allocation also occurs during the SDLC process as part of
requirements engineering.
See NIST SP 800-160Volume 1 for systems security engineering activities associated with system life cycle
processes to achieve trustworthy, secure components, systems, and services.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 47
47. DeniseTawwab, CISSP
Why Use Common Controls?
Organizations are encouraged to identify and implement common controls that can
support multiple information systems as a common protection capability.
When common controls are used to support a specific system, they are referenced
by that system as inherited controls.
Common controls promote cost-effective, efficient, and consistent security and
privacy safeguards across the organization.
Common controls can simplify risk management processes and activities.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 48
48. DeniseTawwab, CISSP
Allocation Assigns Responsibility and Accountability
Allocating controls to a system as system-specific controls, hybrid controls, or
common controls, assigns responsibility and accountability to specific
organizational entities for the:
development,
implementation,
assessment,
authorization, and
monitoring of those controls.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 49
49. DeniseTawwab, CISSP
Control Allocation Produces Risk-Related Information
Control Allocation produces risk-related information for senior leaders about the
security and privacy posture of systems and the business processes supported by those
systems.
System Security/Privacy Plans (SSP)
System Security/Privacy Assessment Report (SAR)
System Plan of Action and Milestones (POAM)
Common Controls Security/Privacy Plans, Security/Privacy Assessment Report, and
Plan of Action and Milestones (POAM)
This information supports authorization and ongoing authorization decisions.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 50
51. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 52
52. DeniseTawwab, CISSP
SECURITY AND PRIVACY POSTURE
53NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
53. DeniseTawwab, CISSP
What is the Security and Privacy Posture?
The security and privacy posture represents the STATUS of the information systems
and information resources within an organization based on information assurance
resources and the capabilities in place to:
manage the defense of the organization;
comply with privacy requirements and manage privacy risks; and
react as the situation changes.
Understanding the security and privacy posture of organizational information systems
and the common controls that are designated for inheritance by those systems is key to
the authorizing officials ability to make risk-based decisions.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 54
54. DeniseTawwab, CISSP
Continuous Monitoring and Assessing of Controls
The Security and Privacy posture is determined on an ongoing basis by assessing and
continuously monitoring implemented controls.
The control assessments and monitoring activities provide evidence that the
controls are implemented correctly, operating as intended, and satisfying the security
and privacy requirements in response to business requirements, laws, regulations,
policies, or standards.
Authorization officials use the security and privacy posture to determine if the risk
are acceptable based on the organization’s risk management strategy and
organizational risk tolerance.
See RMF Prepare-Organization Level step,Task P-2.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 55
55. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 56
56. DeniseTawwab, CISSP
SUPPLY CHAIN RISK MANAGEMENT
57NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
57. DeniseTawwab, CISSP
Why Supply Chain Risk Management is Needed
Organizations are becoming increasingly reliant on external providers for component
products, systems, and services needed to carry out important business functions.
Organizations remain responsible and accountable for the risk incurred when using
external suppliers.
58NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
58. DeniseTawwab, CISSP
Supply Chain Threats
Insertion of Counterfeits
Unauthorized Production
Tampering
Theft
Insertion of Malicious software and hardware
Shoddy manufacturing
Poor development practices
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 59
59. DeniseTawwab, CISSP
Why Do We Have Supply Chain Risks?
Decreased visibility into (and understanding of) how the technology acquired is
developed, integrated, and deployed.
Limited knowledge and/or control of the processes, procedures, and practices used
to assure the integrity, security, resilience, and quality of the acquired products,
systems, and services.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 60
60. DeniseTawwab, CISSP
Challenges to Managing Supply Chain Risk
Defining the types of products, systems, and services that are outsourced.
Describing how the products, systems, and services are protected in keeping with
the security and privacy requirements of the organization.
Obtaining the necessary assurances that the risk arising from outsourcing is
avoided, mitigated, or accepted.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 61
61. DeniseTawwab, CISSP
Develop a Supply Chain Risk Management Policy
Guides and informs SCRM activities.
Supports applicable organizational policies (acquisition and procurement, information
security and privacy, quality, supply chain, and logistics)
Addresses the goals and objectives in the organization’s strategic plan, specific
missions and business functions, and the internal and external customer
requirements.
Defines the integration points for SCRM with the risk management and the SDLC
processes.
Defines SCRM-related roles and responsibilities, dependencies among those roles,
and interactions among the roles.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 62
62. DeniseTawwab, CISSP
What We Will Cover – Fundamentals
Organization-Wide Risk Management
Information Security and Privacy Under the RMF
System and System Elements
Control Allocation
Security and Privacy Posture
Supply Chain Risk Management
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 63
63. DeniseTawwab, CISSP
THE PROCESS – SUMMARY OFTHE RMF TASKS
64NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
64. DeniseTawwab, CISSP
The Structure of RMF Steps and Tasks
Each STEP in the RMF has a purpose statement, a defined set of outcomes, and a set
of tasks that are carried out to achieve those outcomes.
EachTASK contains a set of potential inputs needed to execute the task and a set of
potential outputs generated from task execution.
Each task describes the phase of the SDLC where task execution takes place and the
risk management roles and responsibilities associated with the task.
There is a discussion section and references to provide information on how to
effectively execute each task.
65NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
66. Task P-2 Risk Management Strategy
Task 2 Establish a risk management strategy for the organization that includes a
determination of risk tolerance.
Potential Inputs: Organizational mission statement; organizational policies; organizational
risk assumptions, constraints, priorities and trade-offs.
Potential Outputs: Risk management strategy and statement of risk tolerance.
Primary Responsibility: Head of Agency
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive
(Function); Chief Information Officer; Senior Agency Information Security Officer; Senior
Agency Official for Privacy.
Discussion: Risk tolerance is the level or degree of risk or uncertainty that is acceptable to
an organization. Risk tolerance affects all components of the risk management process...
References: NIST Special Publication 800-30; NIST Special Publication 800-39
(Organization Level); NIST Special Publication 800-160,Volume 1 (Risk Management,
Decision Management, Quality Assurance, Quality Management, Project Assessment and
Control Processes); NIST Special Publication 800-161;NIST Interagency Report 8062; NIST
Cybersecurity Framework (Core [Identify Function]).
67NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
68. DeniseTawwab, CISSP
7 Organization - Level PREPARE Tasks
Task P-1: Risk Management Roles
Task P-2: Risk Management Strategy
Task P-3: Risk Assessment – Organization
Task P-4: Organizationally-Tailored Control Baselines
Task P-5: Common Control Identification
Task P-6: Impact-Level Prioritization (optional)
Task P-7: Continuous Monitoring Strategy
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 69
69. DeniseTawwab, CISSP
The Purpose of the PREPARE Step
Carry out essential activities at the organization,mission and business
process, and information system levels of the organization
To help prepare the organization to manage its security and privacy risks
using the Risk Management Framework.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 70
70. DeniseTawwab, CISSP
11 System-Level PREPARE Tasks
Task P-8: Mission or Business Focus
Task P-9: System Stakeholders
Task P-10: Asset Identification
Task P-11: Authorization Boundary
Task P-12: Information Types
Task P-13 Information Life Cycle
Task P-14: Risk Assessment – System
Task P-15: Requirements Definition
Task P-16: Enterprise Architecture
Task P-17: Requirements Allocation
Task P-18: System Registration
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 71
72. DeniseTawwab, CISSP
Purpose of the Categorize Step
The purpose of the categorize step is to inform organizational risk
management processes and tasks by determining the adverse impact
to organizational operations and assets, individuals,other organizations,
and the Nation with respect to the loss of confidentiality,integrity, and
availability of organizational systems and the information processed,
stored, and transmitted by those systems.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 73
73. DeniseTawwab, CISSP
3 CATEGORIZE Tasks
Task C-1: System Description
Task C-2: Security Categorization
Task C-3: Security Categorization Review and Approval
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 74
75. DeniseTawwab, CISSP
Purpose of the Select Step of the RMF
The purpose of the Select step is to select, tailor, and document
the controls necessary to protect the information system and
organization commensurate with risk to organizational operations and
assets, individuals,other organizations,and the Nation.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 76
76. DeniseTawwab, CISSP
6 SELECTTasks
Task S-1: Control Selection
Task S-2: Control Tailoring
Task S-3: Control Allocation
Task S-4: Documentation of Planned Control Implementations
Task S-5: Continuous Monitoring Strategy – System
Task S-6: Plan Review and Approval
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 77
78. DeniseTawwab, CISSP
Purpose of the Implement Step of the RMF
The purpose of the Implement step is to implement the
controls in the security and privacy plans for the system and for
the organization and to document in a baseline configuration,
the specific details of the control implementation.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 79
79. DeniseTawwab, CISSP
2 IMPLEMENTTasks
Task I-1: Control Implementation
Task I-2: Update Control Implementation Information
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 80
81. DeniseTawwab, CISSP
Purpose of the Assess Step of the RMF
The purpose of the Assess step is to determine if the
controls selected for implementation are implemented
correctly, operating as intended, and producing the desired
outcome with respect to meeting the security and privacy
requirements for the system and the organization.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 82
82. DeniseTawwab, CISSP
6 ASSESS Tasks
Task A-1: Assessor Selection
Task A-2: Assessment Plan
Task A-3: Control Assessments
Task A-4: Assessment Reports (Security and Privacy)
Task A-5: Remediation Actions
Task A-6: Plan of Action and Milestones
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 83
83. 84
NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
84. DeniseTawwab, CISSP
Purpose of the Authorize Step of the RMF
The purpose of the Authorize step is to provide
organizational accountability by requiring a senior management
official to determine if the security and privacy risk (including
supply chain risk) to organizational operations and assets,
individuals, other organizations, or the Nation based on the
operation of a system or the use of common controls, is
acceptable.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 85
85. DeniseTawwab, CISSP
The 5 AUTHORIZETasks and Outcomes
Task R-1: Authorization Package
Task R-2: Risk Analysis and Determination
Task R-3: Risk Response
Task R-4: Authorization Decision
Task R-5: Authorization Reporting
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 86
87. DeniseTawwab, CISSP
Purpose of the Monitor Step of the RMF
The purpose of the Monitor step is to maintain an ongoing
situational awareness about the security and privacy posture of
the information system and the organization in support of risk
management decisions.
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 88
88. DeniseTawwab, CISSP
7 MONITOR Tasks and Outcomes
Task M-1: System and Environment Changes
Task M-2: Ongoing Assessments
Task M-3: Ongoing Risk Response
Task M-4: Authorization Updates
Task M-5: Security and Privacy Posture Reporting
Task M-6: Ongoing Authorization
Task M-7: System Disposal
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 89
89. DeniseTawwab, CISSP
5 Core Documents
NIST SP 800-39, Managing Information Security Risk
NIST SP 800-30, Guide for Conducting Risk Assessments
NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
and Organizations
NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 90
90. UnderstandingThe NIST Risk Management
Framework – NIST SP 800-37 Revision 2
DeniseTawwab, CISSP, CCSK
Information Security Risk and Compliance Consultant
www.denisetawwab.com
919.339.2253 91
June 2-5, 2019 | Myrtle Beach, SC