Understanding the NIST Risk Management Framework (RMF)
The management of organizational risk is a key element in any organization’s information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.
With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.
The Six Steps of the Risk Management Framework (RMF)
The RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:
Step 1: Categorize the system and the information that is processed, stored and transmitted by the system.
Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed.
Step 3: Implement the security controls and document how they are deployed.
Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.
Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.
Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.
Who Needs to Implement the RMF and Why?
Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).
However, it’s our professional opinion that every organization that handles sensitive data can benefit from adopting the RMF. Why?
First, the RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. This helps to inform a solid risk management strategy and focus your attention on the areas that matter most to your organizational security.
Second, the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours.
Finally, the RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn’t be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.
This happened recently with the EU’s General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.
By adopting RMF in your own organization, you’ll be automatically compliant if and when any similar legislation comes into force on our own shores, while your competitors will likely be scrambling to catch up.
RMF and Defense Contractors
Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents.
So, if a contractor is already DFARS-compliant, and they’re already implementing the security controls set out in NIST 800-171, why do they need to adopt the RMF too? (Not DFARS Compliant? Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.)
In working with our defense clients on securing their acquisitions processes, we’ve consistently observed the need for security controls above and beyond what NIST 800-171 requires. That’s exactly what the RMF provides, paying attention to areas such as resilience enhancements and tailoring requirements.
It’s our opinion, then, that the RMF can help defense contractors to plan risk-based security control implementation in a much more broad, holistic manner than DFARS and NIST 800-171 compliance alone.
Limitations of RMF
Because it’s a framework, the NIST RMF doesn’t tell you how to achieve the recommended steps. That means that for small and medium organizations without significant information security experience, or the resources to obtain it, implementing the framework can be a challenge.
That’s Where CyberSheath Comes In
Our cybersecurity experts can help you to minimize your organizational risk with comprehensive risk management planning, including the implementation of the NIST Risk Management Framework. Contact us now to find out how we can help protect your organization.