Difference between revisions of "Risk Management Framework (RMF)"

Revision as of 20:06, 25 September 2019

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.^[1]

The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Step 4: Assess Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Step 5: Authorize Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials^[2]

source: [1]

References

↑ Defining Risk Management Framework Wikipedia
↑ An Overview Risk Management Framework (RMF) NIST

@@ Line 26: / Line 26: @@
-===References===
+== See Also ==
+[[Risk Analysis]]<br />
+[[Risk Assessment Framework (RAF)]]<br />
+[[Risk Management]]<br />
+[[Risk Assessment]]<br />
+[[Information Technology Risk (IT Risk)]]<br />
+[[Enterprise Risk Management (ERM)]]<br />
+[[Risk IT Framework]]<br />
+[[Risk Based Testing]]<br />
+[[Risk-Adjusted Return]]<br />
+[[Risk-Adjusted Return on Capital (RAROC)]]<br />
+[[Risk Matrix]]<br />
+[[Risk Maturity]]<br />
+[[Risk Maturity Model (RMM)]]<br />
+[[Risk Mitigation]]
+== References ==
 <references />
-===Further Reading===
+== Further Reading ==
 *Risk Management Framework (RMF) Overview [http://csrc.nist.gov/groups/SMA/fisma/framework.html NIST]
 *Guide for Applying the Risk Management Framework to Federal Information Systems [http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf NIST]
 *Risk Management Framework (RMF) for DoD Information Technology (IT) [http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DTIC]
 *Overview of RMF - a presentation [http://www.asq509.org/ht/a/GetDocumentAction/i/61054 ASQ509]