The Risk Management Framework (RMF) is a set of criteria that dictate how the United States government IT systems must be architected, secured, and monitored.
Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010. Today, the RMF is maintained by the National Institute of Standards and Technology (NIST) and provides a solid foundation for any data security strategy.
Get the Free Pen Testing Active Directory Environments EBook
The RMF builds on several previous risk management frameworks and includes a number of independent processes and systems. It requires that firms implement secure data governance systems, for example, as well as performing threat modeling to identify areas of cyber risk.
In this guide, we’ll take you through everything you need to know about the RMF. We’ll break down the components of the framework in several sections.
What is the Risk Management Framework Comprised Of?
The general concept of “risk management” and the “risk management framework” might appear to be quite similar, but it’s important to know the difference between the two. The risk management framework is detailed by NIST in several different frameworks.
The most important is the elegantly titled “NIST SP 800-37 Rev.1”, which defines the RMF as a 6-step process to architect and engineer a data security process for new IT systems, and suggests best practices and procedures each federal agency must follow when enabling a new system.
In addition to the primary document SP 800-37, the RMF uses supplemental documents SP 800-30, SP 800-53, SP 800-53A, and SP 800-137:
- NIST SP 800-30, entitled Guide for Conducting Risk Assessments, is a summation of how risk management fits into the system development life cycle (SDLC) and details how personnel can conduct risk assessments and how they can mitigate risks.
- NIST SP 800-37 covers the risk management framework itself and contains much of the information we’ll cover in the remainder of this guide.
- NIST SP 800-39, titled Managing Information Security Risk, lays out the in-depth organization-wide approach to risk management that is crucial for reaching compliance with the RMF.
The 5 Risk Management Components
When getting started with the RMF, it can be useful to break the requirements of risk management down into a number of categories. These categories provide a way of working toward an effective risk management system, from the identification of the most important risks you face to the ways in which you will mitigate them. Let’s work through each in turn.
The first, and arguably the most important, part of the RMF is to perform risk identification. This process seeks to assess the likelihood of a cyber attack, and the outcome of it will be a list of all the possible risks to your systems. Examples include IT, regulatory, legal, operational, strategic and political risk.
After breaking down all possible risks, you should then categorize these into core and non-core risks. Those categorized as core risks are ones that drive growth and company success. Those categorized as non-core risks are often not necessary risks to take and can be minimized or eliminated.
Risk Measurement and Assessment
The next step in developing a risk management framework is to quantify the impact of the risks you face. This should be done for both specific risk exposure and composite risk exposure as well as the probability of a loss happening because of an exposure. When you measure specific risk exposure, it’s important to take a holistic view and to consider the effect a risk could have on the comprehensive risk profile of your company.
After you categorize and measure your company’s risks, decide which non-core risks to minimize or eliminate altogether. Then take a look at your core risks and decide which are necessary to keep. Risk mitigation should be based on the risk assessment completed in the previous step, from there you should prioritize risks that are the most important and dangerous.
Risk Reporting and Monitoring
You should regularly report on specific and comprehensive risk measures to ensure that risk levels stay at a reasonable level. Risk reports should be sent to those who have the authority to adjust risk exposures or can help guide others to do so. Statistics on data breaches indicate that many companies still do not report all of the successful attacks they are exposed to, and that could have an impact on their peers.
Finally, all of the steps above should be codified into a risk governance system. Risk governance ensures that employees operate in accordance with your company policy and risk management framework. Risk governance includes defining and assigning employee roles, delegating and segregating duties and authority. Your risk governance authority body could consist of individuals, committees, etc. to approve and oversee core risks, reporting, risk limits and exceptions.
The 6 Risk Management Framework (RMF) Steps
The processes mandated by the RMF closely resemble those of the generic risk management process we’ve outlined in the previous section. At the broadest level, they require companies to identify which system and data risks they are exposed to, and to put in place reasonable measures to mitigate them. The RMF breaks down these objectives into 6 interconnected but separate stages.
Below, we’ve visualized the RMF 6-step process. Browse through the graphic and take a look at the steps in further detail beneath.
Step 1: Categorize Information System
The Information System Owner assigns a security role to the new IT system based on mission and business objectives. The security role must be consistent with the organization’s risk management strategy.
Step 2: Select Security Controls
The security controls for the project are selected and approved by leadership from the common controls, and supplemented by hybrid or system-specific controls. Security controls are the hardware, software, and technical processes required to fulfill the minimum assurance requirements as stated in the risk assessment. Additionally, the agency must develop plans for continuous monitoring of the new system during this step.
Step 3: Implement Security Controls
Simply put, put step 2 into action. By the end of this step, the agency should have documented and proven that they have achieved the minimum assurance requirements and demonstrated the correct use of information system and security engineering methodologies.
Step 4: Assess Security Controls
An independent assessor reviews and approves the security controls as implemented in step 3. If necessary, the agency will need to address and remediate any weaknesses or deficiencies the assessor finds and then documents the security plan accordingly.
Step 5: Authorize Information System
The agency must present an authorization package for risk assessment and risk determination. The authorizing agent then submits the authorization decision to all necessary parties.
Step 6: Monitor Security Controls
The agency continues to monitor the current security controls and update security controls based on changes to the system or the environment. The agency regularly reports on the security status of the system and remediates any weaknesses as necessary.
How Can An Effective Risk Management Framework Benefit A Business?
Though the RMF is a requirement for businesses working with the US Government, implementing an effective risk management system can have many benefits for businesses. The ultimate goal of working toward RMF compliance is the creation of a data and asset governance system that will provide full-spectrum protection against all the cyber risks you face.
More specifically, developing an effective risk management framework will provide a company with a number of specific benefits:
An effective risk management framework will prioritize understanding the risks that your business faces in time to take the necessary steps to protect your assets and your business. This means that a thorough risk management framework will not only help you to protect your data but also your assets.
Reputation management is an important part of modern business practices, and limiting the detrimental consequences of cyber attacks is an important part of ensuring that your reputation is protected. Consumers in the US are increasingly aware of the importance of data privacy, not least because US privacy laws, are becoming increasingly strict and your reputation will be damaged if you suffer from a data breach. An effective risk management framework can help companies quickly analyze gaps in enterprise-level controls and develop a roadmap to reduce or avoid reputational risks.
Almost every company has intellectual property that must be protected, and a risk management framework applies just as much to this property as your data and assets. If you sell, offer, distribute, or provide a product or service that gives you a competitive edge, you are exposed to potential Intellectual Property theft. A risk management framework helps protect against potential losses of competitive advantage, business opportunities, and even legal risks.
Finally, developing a risk management framework can have beneficial impacts on the fundamental operation of your business. By cataloging the risks you face and taking measures to mitigate them, you will also be gathering a wealth of valuable information on the market that you operate within, and this – in itself – can give you a competitive advantage over your peers.
NIST Risk Assessment Checklist: 14 Tips
As we’ve explained above, the RMF is primarily based on the “NIST SP 800-37 Rev.1” standards. Though compliance with the NIST Risk Assessment Checklist does not fulfill RMF compliance requirements entirely, it does contain most of the important processes that you should implement in order to achieve RMF compliance.
In this section, we’ll give you a checklist that can be used to work toward NIST compliance and can then form the basis of your RMF compliance process. Below this list, you can click to download a printable version.
1) Access Control
- Limit information system access to authorized users
- Separate the duties of individuals to reduce the risk of malevolent collusion
- Limit unsuccessful login attempts
- Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
2) Awareness and Training
- Educate managers, systems administrators, and users about security risks associated with their activities and applicable policies, standards and procedures
- Provide security awareness training on recognizing and reporting potential indicators of insider threat
3) Audit and Accountability
- Use automated mechanisms to integrate and correlate audit and reporting processes
- Support on-demand analysis and reporting
4) Configuration Management
- Limit the types of programs users can install
- Control and monitor all user-installed software
5) Identification and Authentication
- Prevent reuse of identifiers for a defined period
- Disable identifiers after a defined period of inactivity
- Enforce minimum password complexity, i.e., “smart passwords”
6) Incident Response
- Develop and test an incident response plan
- Ensure equipment removed off-site is sanitized of any CUI
- Require multi-factor authentication to establish nonlocal maintenance sessions
8) Media Protection
- Protect (i.e., physically control and securely store) information system media (paper and digital) containing CUI
- Sanitize or destroy information system media containing CUI before disposal or release for reuse
9) Personnel Security
- Screen individuals prior to authorizing access to systems containing CUI
10) Physical Protection
- Maintain audit logs of physical access
- Control and manage physical access devices
11) Risk Assessment
- Scan for and remediate vulnerabilities in the information system and applications
12) Security Assessment
- Periodically assess and monitor the security controls for effectiveness in their applications
- Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities
13) System and Communications Protection
- Separate user functionality from information system management functionality
- Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
- Control and monitor the use of Voice over Internet Protocol technologies
14) System and Information Integrity
- Update malicious code protection mechanisms when new releases are available
- Identify unauthorized use of the information system
How Can Varonis Help You Be Compliant?
NIST regulation and the RMF (in fact, many of the data security standards and compliance regulations) have three areas in common:
- Identify your sensitive and at-risk data and systems (including users, permissions, folders, etc.)
- Protect that data, manage access, and minimize the risk surface;
- Monitor and detect what’s happening on that data, who’s accessing it, and identify when there is suspicious behavior or unusual file activity.
The Varonis Data Security Platform enables federal agencies to manage (and automate) many of these practices and regulations required in the RMF.
DatAdvantage and Data Classification Engine identifies sensitive data on core data stores, and maps user, group, and folder permissions so that you can identify where your sensitive data is and who can access it. Knowing who has access to your data is a key component of the risk assessment phase, defined in NIST SP 800-53.
Data security analytics helps meet the NIST SP 800-53 requirement to constantly monitor your data: Varonis analyzes billions of events from data access activity, VPN, DNS, and proxy activity, and Active Directory and automatically builds behavioral profiles for each user and device. Machine-learning-powered threat models proactively identify abnormal behavior and potential threats like ransomware, malware, brute force attacks, and, insider threats.
NIST SP 800-137 establishes guidelines to protect your data and requires that the agency meet a least-privilege model. DatAdvantage surfaces where users have access that they might no longer need-based. Automation Engine can clean up permissions and remove global access groups automatically. DataPrivilege streamlines permissions and access management by designating data owners and automating entitlement reviews.
While the Risk Management Framework is complex on the surface, ultimately it’s a no-nonsense and logical approach to good data security practices– see how Varonis can help you meet the NIST SP 800-37 RMF guidelines today.
A Final Word
Working toward RMF compliance is not just a requirement for companies working with the US government. If you implement a risk assessment and governance strategy effectively, it can also provide you with plenty of operational benefits.
The primary focus of your RMF processes should be on data integrity because threats to data are likely to be the most critical that your business faces. That’s why we’ve built our Varonis software suite with features that allow you to quickly and effectively implement a risk assessment and governance process.