Risk Management Framework (RMF) - Revision history

User at 16:25, 20 January 2023

2023-01-20T16:25:38Z

User at 16:07, 20 January 2023

2023-01-20T16:07:24Z

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T18:06:11Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

User at 03:15, 21 March 2020

2020-03-21T03:15:37Z

User at 19:37, 20 March 2020

2020-03-20T19:37:52Z

User at 20:06, 25 September 2019

2019-09-25T20:06:05Z

User: Developed by NIST, the Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

2019-01-05T14:45:07Z

Developed by NIST, the Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

New page

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.<ref>Defining Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>

The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement
Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Step 4: Assess
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Step 5: Authorize
Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor
Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials<ref>An Overview Risk Management Framework (RMF) [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]</ref>

[[File:Rmf.JPG|400px|Risk Management Framework]]<br />
source: [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities|OWASP]

===References===
<references />

===Further Reading===
*Risk Management Framework (RMF) Overview [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]
*Guide for Applying the Risk Management Framework to Federal Information Systems [http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf NIST]
*Risk Management Framework (RMF) for DoD Information Technology (IT) [http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DTIC]
*Overview of RMF - a presentation [http://www.asq509.org/ht/a/GetDocumentAction/i/61054 ASQ509]

@@ Line 1: / Line 1: @@
-== What is the NIST Risk Management Framework? ==
+== What is the NIST Risk Management Framework?<ref>[https://www.varonis.com/blog/risk-management-framework/ Defining Risk Management Framework]</ref> ==
-The '''NIST Risk Management Framework (RMF)''' is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the National Institute of Standards and Technology (NIST) and provides a solid foundation for any data security strategy.<ref>Defining Risk Management Framework [https://www.varonis.com/blog/risk-management-framework/ Varonis]</ref>
+The '''NIST Risk Management Framework (RMF)''' is a federal guideline for organizations to assess and manage risks to their computers and information systems. This framework was established by the National Institute of Science and Technology to ensure the security of defense and intelligence networks. Federal agencies are required to comply with the risk management framework, but private companies and other organizations may also benefit from following its guidelines. The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
-NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
+RMF is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the National Institute of Standards and Technology (NIST) and provides a solid foundation for any data security strategy. The RMF builds on several previous risk management frameworks and includes several independent processes and systems. It requires that firms implement secure data governance systems and perform threat modeling to identify cyber risk areas.
@@ Line 14: / Line 25: @@
-== Risk Management Framework (RMF) Steps<ref>[http://csrc.nist.gov/groups/SMA/fisma/framework.html Risk Management Framework (RMF) Steps]</ref> ==
+== Risk Management Framework (RMF) Steps<ref>[https://csrc.nist.gov/projects/risk-management/about-rmf Risk Management Framework (RMF) Steps]</ref> ==
 The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:
 *Step 1: Categorize: Categorize the information system and the information processed, stored, and transmitted by that system based on impact analysis.
@@ Line 45: / Line 56: @@
 == See Also ==
-[[Risk Analysis]]<br />
+[[Information Security]]

@@ Line 1: / Line 1: @@
-The '''[[Risk]] [[Management]] [[Framework]] (RMF)''' is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the [[National Institute of Standards and Technology (NIST)]], and provides a solid foundation for any [[data]] security [[strategy]].<ref>Defining Risk Management Framework [https://www.varonis.com/blog/risk-management-framework/ Varonis]</ref>
+== What is the NIST Risk Management Framework? ==
-NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) [[process]] into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the [[system]] development life cycle.<ref>What is the Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>
+NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
-'''Risk Management Framework (RMF) Steps<ref>Risk Management Framework (RMF) Steps [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]</ref><br />'''
+== Components of the Risk Management Framework (RMF)<ref>[https://www.techtarget.com/searchcio/definition/Risk-Management-Framework-RMF What are the components of the RMF??]</ref> ==
-The risk-based approach to security [[control]] [[selection]] and specification considers effectiveness, [[efficiency]], and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective [[Information Security|information security]] program and can be applied to both new and [[Legacy Systems|legacy information systems]] within the context of the [[Systems Development Life Cycle (SDLC)|system development life cycle]] and the [[Federal Enterprise Architecture Framework (FEA)|Federal Enterprise Architecture]]:
+There are five components that make up the RMF. These components include the following:
-Step 2: Select
+== Risk Management Framework (RMF) Steps<ref>[http://csrc.nist.gov/groups/SMA/fisma/framework.html Risk Management Framework (RMF) Steps]</ref> ==
-Select an initial set of [[baseline]] security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on [[organization]] assessment of risk and local conditions.
+The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:
-Step 4: Assess
+[[File:Rmf.JPG|400px|Risk Management Framework]]<br />
-Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired [[outcome]] with respect to meeting the security requirements for the system.
+source: OWASP
-Step 6: Monitor
+== History of the RMF<ref>[https://en.wikipedia.org/wiki/Risk_Management_Framework History of the NIST Risk Manahgement Framework]</ref> ==
-Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials
+The E-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security.
-[[File:Rmf.JPG|400px|Risk Management Framework]]<br />
+FISMA required the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity, and Availability. Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:
-source: [https://www.owasp.org/index.php/How_to_bootstrap_the_NIST_risk_management_framework_with_verification_activities|OWASP]
+*Standards are to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. This task was satisfied by FIPS Publication 199;
@@ Line 56: / Line 70: @@
 == Further Reading ==
-*Risk Management Framework (RMF) Overview [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]
+* [http://csrc.nist.gov/groups/SMA/fisma/framework.html Risk Management Framework (RMF) Overview]
-*Guide for Applying the Risk Management Framework to Federal Information Systems [http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf NIST]
+*[http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf Guide for Applying the Risk Management Framework to Federal Information Systems]
-*Risk Management Framework (RMF) for DoD [[Information Technology (IT)]] [http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DTIC]
+*[http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf Risk Management Framework (RMF) for DoD Information Technology (IT)]
-*Overview of RMF - a presentation [http://www.asq509.org/ht/a/GetDocumentAction/i/61054 ASQ509]
+*[http://www.asq509.org/ht/a/GetDocumentAction/i/61054 Overview of RMF - a presentation]

@@ Line 1: / Line 1: @@
-The '''Risk Management Framework (RMF)''' is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the National Institute of Standards and Technology (NIST), and provides a solid foundation for any data security strategy.<ref>Defining Risk Management Framework [https://www.varonis.com/blog/risk-management-framework/ Varonis]</ref>
+The '''[[Risk]] [[Management]] [[Framework]] (RMF)''' is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the [[National Institute of Standards and Technology (NIST)]], and provides a solid foundation for any [[data]] security [[strategy]].<ref>Defining Risk Management Framework [https://www.varonis.com/blog/risk-management-framework/ Varonis]</ref>
-NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.<ref>What is the Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>
+NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) [[process]] into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the [[system]] development life cycle.<ref>What is the Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>
 '''Risk Management Framework (RMF) Steps<ref>Risk Management Framework (RMF) Steps [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]</ref><br />'''
-The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective [[Information Security|information security]] program and can be applied to both new and [[Legacy Systems|legacy information systems]] within the context of the [[Systems Development Life Cycle (SDLC)|system development life cycle]] and the [[Federal Enterprise Architecture Framework (FEA)|Federal Enterprise Architecture]]:
+The risk-based approach to security [[control]] [[selection]] and specification considers effectiveness, [[efficiency]], and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective [[Information Security|information security]] program and can be applied to both new and [[Legacy Systems|legacy information systems]] within the context of the [[Systems Development Life Cycle (SDLC)|system development life cycle]] and the [[Federal Enterprise Architecture Framework (FEA)|Federal Enterprise Architecture]]:
 Step 1: Categorize
-Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
+Categorize the information system and the information processed, stored, and transmitted by that system based on an [[impact]] analysis.
 Step 2: Select
-Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.
+Select an initial set of [[baseline]] security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on [[organization]] assessment of risk and local conditions.
 Step 3: Implement
@@ Line 17: / Line 17: @@
 Step 4: Assess
-Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
+Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired [[outcome]] with respect to meeting the security requirements for the system.
 Step 5: Authorize
@@ Line 58: / Line 58: @@
 *Risk Management Framework (RMF) Overview [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]
 *Guide for Applying the Risk Management Framework to Federal Information Systems [http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf NIST]
-*Risk Management Framework (RMF) for DoD Information Technology (IT) [http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DTIC]
+*Risk Management Framework (RMF) for DoD [[Information Technology (IT)]] [http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DTIC]
 *Overview of RMF - a presentation [http://www.asq509.org/ht/a/GetDocumentAction/i/61054 ASQ509]

@@ Line 5: / Line 5: @@
 '''Risk Management Framework (RMF) Steps<ref>Risk Management Framework (RMF) Steps [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]</ref><br />'''
-The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the [[Federal Enterprise Architecture Framework (FEA)|Federal Enterprise Architecture]]:
+The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective [[Information Security|information security]] program and can be applied to both new and [[Legacy Systems|legacy information systems]] within the context of the [[Systems Development Life Cycle (SDLC)|system development life cycle]] and the [[Federal Enterprise Architecture Framework (FEA)|Federal Enterprise Architecture]]:
 Step 1: Categorize

@@ Line 1: / Line 1: @@
-NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.<ref>Defining Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>
+The '''Risk Management Framework (RMF)''' is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. The RMF is maintained by the National Institute of Standards and Technology (NIST), and provides a solid foundation for any data security strategy.<ref>Defining Risk Management Framework [https://www.varonis.com/blog/risk-management-framework/ Varonis]</ref>
-The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:
+NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.<ref>What is the Risk Management Framework [https://en.wikipedia.org/wiki/Risk_management_framework Wikipedia]</ref>
 Step 1: Categorize
@@ Line 19: / Line 23: @@
 Step 6: Monitor
-Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials<ref>An Overview  Risk Management Framework (RMF) [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]</ref>
+Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials
@@ Line 40: / Line 44: @@
 [[Risk Maturity]]<br />
 [[Risk Maturity Model (RMM)]]<br />
-[[Risk Mitigation]]
+[[Risk Mitigation]]<br />