Professional Documents
Culture Documents
Sabrina Toubbeh
Professor Nzeata
Purpose
mitigate risks unique to the business. Effective risk management helps reduce costs and protect
revenue, improve business reputation, alleviates the cyber-risks, and prevent attacks towards the
organization (CS Risk Management, 2021). For an organization’s mission and business functions
and transmitted by those systems and privacy of individuals” must be implemented (NIST,
2018). Confidentiality, integrity, and availability are the main goals of a security plan and are
considered the most crucial security elements. According to NIST (2018), the processes in the
Risk Management Framework include the need to Prepare, Categorize, Select, Implement,
Assess, Authorize, and Monitor, which will all be detailed and explained further below.
Step 1 Prepare
Before enacting the RMF, the organization must first prepare itself by assuring
process. The first step of the RMF includes all the steps necessary to execute the framework
from an organizational and system-level perspective (NIST, 2011a). In this stage, the key
outcomes are to provide a clear understanding of the Risk Management Roles, Risk Management
Strategy, Organizational Risk Assessment, and Continuous Monitoring Strategy (Veltsos, 2019).
These outcomes can be achieved by: (i) providing a general overview of the risk management
process; (ii) establish how organizations determine the context for risk-based decisions; (iii)
determine how organizations assess risk considering threats, vulnerabilities, likelihood, and
impact; (iv) decide how risk should be responded to once detected; and (v) define how risks can
2
be monitored over time with changes to the operating environment (NIST, 2011a).
Accomplishing these tasks can minimize complexity by recognizing and removing irrelevant
System categorization within RMF is the process of assigning one of “three levels of
2004). Each of the CIA triad principles is assigned an impact level based on the type of data
conjunction with vulnerability and threat details discovered in the risk assessment. The impact
Given the appropriate impact levels, the categorization of the system is determined and allows an
organization to understand consequences that may pose resulting in the compromise of security
objectives.
3
Step 3 Selection
The selection step aims to select, tailor, and document the controls necessary to protect
the system and organization (NIST, 2018). The organization must select an initial set of baseline
security controls essential to reducing security categorization risk. These baseline controls pose
as a starting reference that may be enhanced based on business needs. The selected controls
system-focused. Since risk cannot be completely eliminated, these controls are intended to
minimize risk to an acceptable level based on the risk assessment. However, to select proper
security controls, the organization must accurately and correctly determine the security system's
categorization and impact levels. This phase also includes producing tailored control baselines,
implementations, developing a continuous monitoring strategy, and reviewing and approving the
security and privacy plans that reflect the control selections (NIST, 2018). This selection process
is a critical step in the RMF, as it sets the foundation for the subsequent phases.
Step 4 Implementation
As controls have been selected and approved, the Implementation step commences. This
phase involves implementing the security controls and documenting how they are deployed
within the system and operational environment (NIST, 2018). The implementation of controls
brings forth reality to the security plan. However, in doing so, the implementation must also be
carefully executed to comply with any regulations and policies. The outcomes of the
Implementation step are to employ the controls specified in the security and privacy plans using
systems security best practices and engineering methodologies for its enactment and update
4
Step 5 Assessment
determine whether the selected and applied controls are executed correctly, performing as
intended, and delivers the anticipated outcome with respect to satisfying the security and privacy
requirements of both the system and organization (NIST, 2018). First, the organization must
determine which team or individual is responsible for performing the assessment. Upon selecting
the assessor, an assessment plan must be provided to carry out the evaluation. This includes
reviewing and approving the evaluation plan and providing any necessary documentation
The control assessment itself should be conducted in accordance with the assessment plan
and should seize the opportunity to reuse any assessment results from previous evaluations for a
timely and cost-effective process (NIST, 2018). To maximize this process, automation should be
used wherever possible to increase speed, effectiveness, and efficiency. The evaluation results
are valuable to an organization because they provide officials with: (i) evidence about the
effectiveness of implemented controls; (ii) an indication of the quality of the risk management
process employed within the organization; and information about the strengths and weaknesses
Once the assessments are complete, a report should be generated to share findings and
present recommendations to the organization. From the results, the assessor should provide
remediation actions that address any control deficiencies. As changes to the implementation are
5
changed from these remediation actions, the security and privacy plans should be updated to
reflect the applied modifications. The remediation actions that were detailed can then be
documented in the Plan of Actions and Milestones (POA&M) for the organization. This
POA&M itemizes the necessary tasks for completion to comply with organizational requirements
(NIST, 2006). Depending on the assessment results and whether the residual risk level is
acceptable, the listed action items may require completion before reassessment. The assessment
phase is an essential step, as it stimulates an improved understanding and awareness of the risks
Step 6 Authorization
The authorization phase includes the preparation of the Plan of Action and Milestones
(POA&M) and submission of a security authorization package to the AO (CDSE, 2020). The AO
evaluates the assessment reporting results to determine if the residual risks are acceptable to the
organization (Peacock, n.d.). Since the objective of the RMF is to preserve an element’s ability to
fulfill its mission, the AO judges the organization’s current security posture against the
operational obligations of the system. Risk must be evaluated given the mission or business
constraints (CDSE, 2020). This includes weighing out the competing elements of mission and
security measures when determining the accepted level of risk. Once the AO establishes the risk
The authorizing decision is carried out by the AO and possesses the following outcomes:
Approval to Operate (ATO), Interim Approval to Test (IATT), or Denied Approval to Operate
6
(DATO). If the overall system risk is permissible due to its mission criticality, then an ATO may
be issued with required conditions (DoD, 2014). In contrast, if risk is unacceptable or a system is
undergoing a decommissioning strategy, a DATO will be issued. If the overall system risk is
acceptable, then an IATT provides a temporary authorization that is only operable for testing
Step 7 Monitoring
When a system is authorized, the organization must ensure that it continues to remain
effective against changes over time. This Monitoring step is intended to "maintain an ongoing
situational awareness" about the system's security posture (NIST, 2018). Since cybersecurity is
dynamic, security-related processes must be proactively managed to detect and react to new
Continuous monitoring is often used to address the impacts change has on security. Information
Security Continuous Monitoring (ISCM) refers to the process of sustaining the ongoing
(NIST, 2011). To establish, implement, and maintain a robust ISCM, an organization must define
an ongoing monitoring strategy, develop and implement the program, analyze the outputted data
and report discoveries, respond to the findings, and review and update the process (NIST,
2011b). As with the Assessment step of the RMF, automation should be employed for timely
decision-making and facilitating near real-time results (NIST, 2018). Automation can be applied
to numerous tasks, such as configuration, antivirus, patch management, and audits. This
automation allows for the ongoing control efficacy assessment to be completed and responded to
with ease. Also, automation can generate necessary documentation for reporting to AO and
7
senior executives. For continuous monitoring to remain impactful, it must include configuration
management and control processes, an impact analysis on any system or environmental change,
assessment that assures security control efficacy, appropriate security reporting to executives,
firmware used by the system, or transitioning to a new environment, the challenge resides in
upholding the security of the organization in those states. However, just as business needs
fluctuate, so do the security systems in place. The framework gets revisited, and to adhere to
various operating needs, the implemented security controls may require changes. With any
addition or removal of controls, new risks are present. It is the organization's responsibility to
reassess the controls in place and determine which need to be modified, removed, or added.
Again, given all these changes, new controls must be selected, implemented, assessed, and
authorized. Continuous monitoring can be used to observe the efficacy of the new system and
Conclusion
considers the impact information systems carry on critical mission objectives. This structured
process involves preparing the organization to enact the framework company-wide, categorizing
the system based on its risk, selecting appropriate controls to mitigate the system at appropriate
levels, implementing the controls to bring the system to live, assessing the implemented controls
8
to warrant the desired outcome, authorizing the system for use, and monitoring the system to
References
https://www.cdse.edu/documents/student-guides/CS124-guide.pdf
https://www.csriskmanagement.co.uk/the-importance-of-cyber-risk-management/
DoD. (2014, March 12). Risk Management Framework (RMF) for DoD Information Technology
(IT). https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf
NIST. (2006, February). Guide for Developing Security Plans for Federal information
Systems. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
NIST. (2011b, September). Information Security Continuous Monitoring for Federal Information
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
NIST. (2014, December). Assessing Security and Privacy Controls in Federal Information
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
NIST. (2018, December). Risk Management Framework for Information Systems and
Organizations.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
37r2.pdf
10
Peacock, J. (n.d.). Infographic: The Six Steps of the NIST Risk Management Framework (RMF).
https://www.cybersaint.io/blog/six-steps-of-the-nist-risk-management-framework
Veltsos, C. (2019, July 22). NIST Says Preparation is Key to the Risk Management Framework.
https://securityintelligence.com/articles/nist-says-preparation-is-key-to-the-risk-
management-framework/