NIST RMF (National Institute of Standards and Technology's Risk Management Framework)

Posted by Pantazis September 15, 2011 12:46 PM

The NIST RMF (National Institute of Standards and Technology's Risk Management Framework)  described here comprises a mature process that has been applied in the field of risk management for almost ten years. This RMF is mostly designed to manage software-induced business risks. Through the application of five simple activities, analysts use their own technical expertise, relevant tools, and technologies to carry out a reasonable risk management approach.
The purpose of an RMF like this is to allow a consistent and repeatable expertise-driven approach to risk management. Progressing on and description of the software risk management activities in a consistent manner, the basis for measurement and common metrics emerges. Such metrics are sorely needed and should allow organizations to better manage business and technical risks given particular quality goals; make more informed, objective business decisions regarding software and improve internal software development processes so that they in turn better manage software risks.  

1.    Five Stages of Activity

The RMF consists of the five fundamental activity stages:
Understand the business context.
Identify the business and technical risks.
Synthesize and prioritize the risks, producing a ranked set.
Define the risk mitigation strategy.
Carry out required fixes and validate that they are correct.

NIST RMF also outlines a series of activities related to managing organizational risk. These can be applied to both new and legacy information systems, according to the NIST.
The activities include:

·    Categorizing information systems and the information within those systems based on impact.
·    Selecting an initial set of security controls for the systems based on the Federal Information Processing Standards (FIPS) 199 security categorization and the minimum security requirements defined in FIPS 200.
·    Implementing security controls in the systems.
·    Assessing the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcomes with respect to meeting security requirements for the system.
·    Authorizing information systems operation based on a determination of the risk to organizational operations and assets, or to individuals resulting from the operation of the systems, and the decision that this risk is acceptable.
·    Monitoring and assessing selected security controls in information systems on a continuous basis, including documenting changes to the systems, conducting security-impact analyses of the associated changes, and reporting the security status of the systems to appropriate organizational officials on a regular basis.

One of the primary strengths of RMF is that it was developed by the NIST, which is charged by Congress with ensuring that security standards and tools are researched, proven and developed to provide a high level of information security infrastructure. Because government agencies and the businesses that support them need their IT security standards and tools to be both cost-effective and highly adaptable, the framework is constantly being reviewed and updated as new technology is developed and new laws are passed. Furthermore, independent companies have developed tools that support the NIST standards, knowing that the basis for applications is stable; software development companies are more willing to develop application tools to support the framework. The model also helps companies determine when something exceeds a certain threshold of risk.

As for weaknesses, like any of these frameworks, you have to make sure that the people who are doing the risk assessment have the discipline to input reasonable data into the model so you get reasonable data outputs. After all, you cannot manage what you cannot measure and most of all, what you cannot see. Additionally, since it is not an automated tool but a documented framework, meaning that it apart from input and output dependencies, it has to do with people’s aspirations that sometimes are quite more subjective.

To sum up, the activities of identifying, tracking, storing, measuring, and reporting software risk information cannot be overemphasized. Successful use of the RMF depends on continuous and consistent identification and storage of risk information as it changes over time. A master list of risks should be maintained during all stages of RMF execution and continually revisited. Measurements regarding this master list make excellent reporting information. For example, the number of risks identified in various software artifacts and/or software life-cycle phases can be used to identify problematic areas in software process. Likewise, the number of software risks mitigated over time can be used to show concrete progress as risk mitigation activities unfold. Links to descriptions or measurements of the corresponding business risks mitigated can be used to clearly demonstrate the business value of the software risk mitigation process and the risk management framework.

2 Response to "NIST RMF (National Institute of Standards and Technology's Risk Management Framework)"

  1. Unknown January 14, 2016 at 12:27 AM
    I am curious about the tools you use to identify the business and technical risks. Are you using SWOT analysis? I and my partner butch are planning to run a small business. Thanks!
  2. Unknown March 2, 2016 at 7:34 PM
    NIST is one of the organizations I look up to. Their activities are consistent with their goal of helping agencies reduce their risk surrounding consumer privacy. http://web-motion.co.uk/whiteboard-animation-videos

Post a Comment

Subscribe to: Post Comments (Atom)