Professional Documents
Culture Documents
Final Project
Justin R. Cook
Cybercrime is growing at a rapid pace, damages resulting from cybercrime are estimated
to cost the world around $6 trillion annually by 2021 (Morgan, 2020). To limit risk, our
organization must take a proactive approach to ensure the security of our information systems
and data. NIST outlines a seven-step risk management framework that the US federal
government uses to promote the development of security capabilities into its systems throughout
the system development lifecycle (NIST SP 800-37, 2018). Although this framework is used by
the federal government, the steps outlined in the RMF can be tailored to fit an organizational
environment of any size. The seven steps of the risk management framework include the
assessment of the control’s effectiveness, authorization decision for the system, and finally
continuous monitoring of the system. The seven steps of the RMF are followed before and after a
system is authorized for use. This ensures that the system remains secured when changes occur
The first step of the RMF is preparation, where an organization carries out activities to
ensure they are ready to manage its security and privacy risks using this framework (NIST SP
800-37, 2018). For our organization, the most important aspect of this step is to identify and
assign individuals to certain roles that will be required in subsequent RMF steps. For example,
an authorizing official must be determined and this is the individual who will authorize systems
for use in step 6 of the RMF. Business leaders must determine the level of risk tolerance that our
organization and create a risk management strategy. Although having zero risk is ideal,
budget/resource limitations will require us to make key decisions regarding the amount of risk
we can endure at any given time. Lastly, a risk assessment should take place during this step to
create a baseline of where the organization currently stands. After this step is completed,
Final Project 3
organizational leaders should be on board with using the risk management framework to manage
risk, and any production system should be assessed using this framework.
The categorize step assesses the system and information that is processed, stored, and
transmitted by that system based on an analysis of the impact of loss (NIST SP 800-37, 2018).
Security categorization is vital because it is the basis for developing an initial baseline set of
security controls for the information system (NIST SP 800-60, 2008). Federal Information
Processing Standards (FIPS) are standards and guidelines that the United States federal
government uses when securing their computer systems. Specifically, FIPS Publication 199 lays
out standards for categorizing information and information systems, and the private sector is
encouraged to these standards as well (FIPS, 2004). Part of the initial security categorization of
an information system is establishing provisional impact levels which are the impact levels
information type (NIST SP 800-60, 2008). Every system will store, process, or transmit multiple
information types, and each is categorized. The CIA triad is defined below:
1. Confidentiality – Only authorized users and processes should be able to access or modify
data
2. Integrity - Data should be maintained in a correct state and nobody should be able to
3. Availability - Authorized users should be able to access data whenever they need to do so
(Fruhlinger, 2020).
Once each of the information types is categorized the overall security category of the information
system is expressed as the maximum potential impact value for each security objective. The three
After an information system has been successfully categorized, the next step in the RMF
is to select, tailor, and document security controls that are required to protect the system.
Security controls are the safeguards or countermeasures that can be implemented to protect the
confidentiality, integrity, and availability of the system and its information (NIST SP 800-53,
2017). NIST SP 800-53 defines twenty families of security controls which amounts to hundreds
of baseline controls that are applied to systems at any categorization level. An example of a
security control is the PE-3 control which enforces physical access authorizations at the facility
where the information system resides (NIST SP 800-53, 2017). It is impractical from both a
budget and an implementation standpoint to implement each control from the baseline.
Therefore, the initial tailoring of the baseline controls is to select the control families that are
most critical to our system. The selected security controls can be further tailored so that they fit
our specific operating environment. The selected/tailored security controls must then be
documented and an implementation plan created that describes the intended application of each
control in the context of the system (NIST SP 800-37, 2018). The implementation plan must then
Once approved, the next step in the RMF is to implement the controls that were laid out
in the implementation plan and to document the specific details of the control implementation
(NIST SP 800-37, 2018). In the previous step, the example of a PE-3 control was mentioned, and
the implementation step is where the control is put into action. For the PE-3 control, an
implementation example would be using access control software that grants access to the
buildings if key fobs are swiped at the entrances. NIST recommends using best practices when
implementing security controls and that the controls adhere to federal and organizational policies
(NIST SP 800-37, 2018). As controls are implemented, sometimes things do not always go
Final Project 5
according to plan. Therefore, it is important to update the security and privacy plans with any
details or changes that occurred while the implementation took place (NIST SP 800-37, 2018).
Following the implementation of security controls, our organization then has to assess
them to determine if the controls are operating as intended and meeting the desired security
needs (NIST SP 800-53, 2014). NIST provides examples for how to assess different security
controls, but the security control assessments can also be tailored to fit the organization’s needs.
For the example of assessing the PE-3 control, the assessment could test gaining access to the
building without a key fob or with a key fob that does not have the correct access levels. The
results from the assessment are documented in a security assessment report which is reviewed to
assess risk, determine appropriate response actions, and update the Plans of Action and
Milestones (NIST SP 800-53, 2014). For example, if the security assessment report showed that
access to the building was incorrectly granted then a remediation action would be warranted.
Remediation actions address deficiencies in the controls that were implemented in the system
based on the assessment results (NIST, SP 800-37, 2018). The remediation actions are placed
into a document referred to as the plan of action and milestones (POA&M) which is included as
The next step of the RMF is the authorization step, where a senior management official
determines if the security and privacy risk to the information system is acceptable and makes a
final decision authorizing the system for use in production (NIST SP 800-37, 2018). Security
authorization is one of the most important steps of the RMF because the decision is based on all
of the information gathered and developed from the previous steps. The authorization tasks
include
The authorization of the system is approved or denied and the decisions/risks are reported
Any risks that were found and documented in the authorization package are analyzed and applied
against the risk management strategy that was drafted in step one of the RMF. Like previously
mentioned, the levels of risk tolerance vary between organizations and the authorizing official
takes this into account when making the final decision. The authorization decision can be
Authorization to Operate (DATO) (NIST SP 800-37, 2018). This decision is made by the
authorization official and dictates whether the determined risks are acceptable to allow the
The final step of the RMF is the monitor step which takes place to maintain an ongoing
awareness of the security/privacy posture of the system and to account for any changes that
occurred in the operating environment (NIST SP 800-37, 2018). Although a system may have
received an ATO, if a change is made to the system or to the environment around that system
then the security posture must be verified. NIST defines seven different tasks during the monitor
• Ongoing risk response – analyze and respond to the results of the ongoing assessments
• Ongoing authorization – authorizing officials to review the results of previous tasks and
2018).
Our organization must adhere to a change management protocol that will require any change
made to the production environment to be assessed to determine if this will impact the security
posture of any system. Relevant changes that do impact a system’s security posture will require
that system to go through the steps of the RMF once again. This procedure will ensure that the
The seven steps of NIST’s risk management framework aim to promote the development
of security capabilities into its systems throughout the system development lifecycle (NIST SP
800-37, 2018). Our organization first prepares to begin using the RMF by delegating
roles/responsibilities and developing an organizational risk strategy. Production systems are first
categorized based on their impact levels that correspond to the level of risk that exists. To secure
the systems, security controls are selected, tailored, and implemented per NIST’s best practices.
The implemented controls must then be assessed to determine if they are functioning as intended
in the implementation plan. The results of the assessment are documented in an authorization
package that is given to the authorized official. That official analyzes the authorization package
against the organization’s risk management strategy to determine if the system can operate in a
continuous monitoring procedure is put into place to validate the effectiveness of the security
Final Project 8
controls. By utilizing the seven-step risk management framework outlined by NIST, our
organization will be doing our due diligence to ensuring our production systems remain secure as
References
FIPS PUB 199. (February, 2004). Standards for Security Categorization of Federal Information
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples.
components-and-examples.html
Morgan, S. (2020, March 29). Top 5 Cybersecurity Facts, Figures, Predictions, And Statistics For
facts-figures-predictions-and-statistics-for-2019-to-2021
National Institute of Standards and Technology (NIST). (2018, December). Special Publication
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
National Institute of Standards and Technology (NIST). (2008, August). Special Publication 800-
60: Guide for Mapping Types of Information and Information Systems to Security
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
National Institute of Standards and Technology (NIST). (2017, August). Special Publication 800-
53 Revision 5. Security and Privacy Controls for Information Systems and Organizations.
53r5.pdf