Risk Management Framework - Wikipedia

The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information ... RiskManagementFramework FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch RiskManagementFramework(RMF)Rev.2sevenstepprocess TheRiskManagementFramework(RMF)isaUnitedStatesfederalgovernmentguideline,standardandprocessforriskmanagementtohelpsecureinformationsystems(computersandnetworks)developedbyNationalInstituteofStandardsandTechnology.TheRiskManagementFramework(RMF),illustratedinthediagramtotheright,providesadisciplinedandstructuredprocessthatintegratesinformationsecurity,privacyandriskmanagementactivitiesintothesystemdevelopmentlifecycle.[1][2] Contents 1Overview 2History 3Risks 4Revision2updates 5Seealso 6References 7Externallinks Overview[edit] ThemaindocumentthatdescribesthedetailsofRMFisNISTSpecialPublication800-37,"RiskManagementFrameworkforInformationSystemsandOrganizations:ASystemLifeCycleApproachforSecurityandPrivacy".[3]Thisisthesecondrevisionofthisdocumentandsupersedesthefirstrevision"GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems".[1] ThevariousstepsoftheRMFlinktoseveralotherNISTstandardsandguidelines,includingNISTSpecialPublication800-53,"SecurityandPrivacyControlsforInformationSystemsandOrganizations". TheRMFstepsinclude: PreparetoexecutetheRMFbyestablishingacontextandprioritiesformanagingsecurityandprivacyriskatorganizationalandsystemlevels.[4][5] Categorizetheinformationsystemandtheinformationprocessed,stored,andtransmittedbythatsystembasedonanimpactanalysis.[6][7][8] Selectaninitialsetofbaselinesecuritycontrolsfortheinformationsystembasedonthesecuritycategorization;tailoringandsupplementingthesecuritycontrolbaselineasneededbasedonanorganizationalassessmentofriskandlocalconditions.Ifanyoverlaysapplytothesystemtheywillbeaddedinthisstep.[2][9] Implementthesecuritycontrolsidentifiedinstep2.[2] Assess:athirdpartyassessesthecontrolsandverifiesthatthecontrolsareproperlyappliedtothesystem.[10] Authorize:theinformationsystemisgrantedordeniedanAuthorizationtoOperate(ATO),insomecasesitmaybepostponedwhilecertainitemsarefixed.TheATOisbasedonthereportfromtheAssessmentphase.ATOistypicallygrantedupto3yearsandtheprocessneedstoberepeatedattheendoftheperiod.[3] Monitorthesecuritycontrolsintheinformationsystemcontinuouslyinapre-plannedfashionasdocumentedearlierintheprocess.[5] History[edit] TheE-GovernmentActof2002(PublicLaw107-347)entitledFISMA2002(FederalInformationSecurityManagementAct)wasalawpassedin2002toprotecttheeconomicandnationalsecurityinterestsoftheUnitedStatesrelatedtoinformationsecurity.[11] CongresslaterpassedFISMA2014(FederalInformationSecurityModernizationAct)toprovideimprovementsoverFISMA2002by: CodifyingDepartmentofHomelandSecurity(DHS)authoritytoadministertheimplementationofinformationsecuritypoliciesfornon-nationalsecurityfederalExecutiveBranchsystems,includingprovidingtechnicalassistanceanddeployingtechnologiestosuchsystems; AmendingandclarifyingtheOfficeofManagementandBudget's(OMB)oversightauthorityoverfederalagencyinformationsecuritypractices;andby RequiringOMBtoamendorreviseOMBA-130to"eliminateinefficientandwastefulreporting."[12] FISMArequiredtheprotectinginformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructioninordertoprovideConfidentiality,IntegrityandAvailability.[13]TitleIIIofFISMA2002taskedNISTwithresponsibilitiesforstandardsandguidelines,includingthedevelopmentof: Standardstobeusedbyallfederalagenciestocategorizeallinformationandinformationsystemscollectedormaintainedbyoronbehalfofeachagencybasedontheobjectivesofprovidingappropriatelevelsofinformationsecurityaccordingtoarangeofrisklevels.ThistaskwassatisfiedbyFIPSPublication199;[8] Guidelinesrecommendingthetypesofinformationandinformationsystemstobeincludedineachcategory.ThistaskwassatisfiedbyNISTSpecialPublication800-60,Volumes1and2;[6][7]and Minimuminformationsecurityrequirements(i.e.,management,operational,andtechnicalcontrols),forinformationandinformationsystemsineachsuchcategory.ThistaskwassatisfiedbythedevelopmentofFIPSPublication200.[9] NIST800-37(RiskManagementFrameworkorRMF)wasdevelopedtohelporganizationsmanagesecurityandprivacyrisk,andtosatisfytherequirementsintheFederalInformationSecurityModernizationActof2014(FISMA),thePrivacyActof1974,OMBpolicies,andFederalInformationProcessingStandards,amongotherlaws,regulations,andpolicies.[3] Risks[edit] Duringitslifecycle,aninformationsystemwillencountermanytypesofriskthataffecttheoverallsecuritypostureofthesystemandthesecuritycontrolsthatmustbeimplemented.TheRMFprocesssupportsearlydetectionandresolutionofrisks.Riskcanbecategorizedathighlevelasinfrastructurerisks,projectrisks,applicationrisks,informationassetrisks,businesscontinuityrisks,outsourcingrisks,externalrisksandstrategicrisks.Infrastructurerisksfocusonthereliabilityofcomputersandnetworkingequipment.Projectrisksfocusonbudget,timelineandsystemquality.Applicationrisksfocusonperformanceandoverallsystemcapacity.Informationassetrisksfocusonthedamage,lossordisclosuretoanunauthorizedpartofinformationassets.Businesscontinuityrisksfocusonmaintainingareliablesystemwithmaximumup-time.Outsourcingrisksfocusontheimpactof3rdpartysuppliermeetingtheirrequirements.[14]Externalrisksareitemsoutsidetheinformationsystemcontrolthatimpactthesecurityofthesystem.Strategicrisksfocusesontheneedofinformationsystemfunctionstoalignwiththebusinessstrategythatthesystemsupports.[15] Revision2updates[edit] Themajorobjectivesfortheupdatetorevision2includedthefollowing:[16] ProvidecloserlinkageandcommunicationbetweentheriskmanagementprocessesandactivitiesattheC-suiteorgovernanceleveloftheorganizationandtheindividuals,processes,andactivitiesatthesystemandoperationalleveloftheorganization; Institutionalizecriticalriskmanagementpreparatoryactivitiesatallriskmanagementlevelstofacilitateamoreeffective,efficient,andcost-effectiveexecutionoftheRMF; DemonstratehowtheNISTCybersecurityFramework[17]canbealignedwiththeRMFandimplementedusingestablishedNISTriskmanagementprocesses; IntegrateprivacyriskmanagementprocessesintotheRMFtobettersupporttheprivacyprotectionneedsforwhichprivacyprogramsareresponsible; Promotethedevelopmentoftrustworthysecuresoftwareandsystemsbyaligninglifecycle-basedsystemsengineeringprocessesinNISTSP800-160Volume1,[18]withtherelevanttasksintheRMF; Integratesecurity-related,supplychainriskmanagement(SCRM)conceptsintotheRMFtoaddressuntrustworthysuppliers,insertionofcounterfeits,tampering,unauthorizedproduction,theft,insertionofmaliciouscode,andpoormanufacturinganddevelopmentpracticesthroughouttheSDLC;and Allowforanorganization-generatedcontrolselectionapproachtocomplementthetraditionalbaselinecontrolselectionapproachandsupporttheuseoftheconsolidatedcontrolcataloginNISTSP800-53Revision5.[19] Revision2alsoaddedanew"Prepare"stepinpositionzerotoachievemoreeffective,efficient,andcost-effectivesecurityandprivacyriskmanagementprocesses.[16] Seealso[edit] DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP,previousprogram) NISTCybersecurityFramework CyberRiskQuantification References[edit] ^abGuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems ^abcForce,JointTask(2020-12-10)."SecurityandPrivacyControlsforInformationSystemsandOrganizations".{{citejournal}}:Citejournalrequires|journal=(help) ^abcForce,JointTask(2018-12-20)."RiskManagementFrameworkforInformationSystemsandOrganizations:ASystemLifeCycleApproachforSecurityandPrivacy".{{citejournal}}:Citejournalrequires|journal=(help) ^Initiative,JointTaskForceTransformation(2012-09-17)."GuideforConductingRiskAssessments".{{citejournal}}:Citejournalrequires|journal=(help) ^abDempsey,Kelley;Chawla,Nirali;Johnson,L.;Johnston,Ronald;Jones,Alicia;Orebaugh,Angela;Scholl,Matthew;Stine,Kevin(2011-09-30)."InformationSecurityContinuousMonitoring(ISCM)forFederalInformationSystemsandOrganizations".{{citejournal}}:Citejournalrequires|journal=(help) ^abStine,Kevin;Kissel,Richard;Barker,William;Fahlsing,Jim;Gulick,Jessica(2008-08-01)."GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories".{{citejournal}}:Citejournalrequires|journal=(help) ^abStine,Kevin;Kissel,Richard;Barker,William;Lee,Annabelle;Fahlsing,Jim(2008-08-01)."GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories:Appendices".{{citejournal}}:Citejournalrequires|journal=(help) ^abTechnology,NationalInstituteofStandardsand(2004-02-01)."StandardsforSecurityCategorizationofFederalInformationandInformationSystems".{{citejournal}}:Citejournalrequires|journal=(help) ^abTechnology,NationalInstituteofStandardsand(2006-03-01)."MinimumSecurityRequirementsforFederalInformationandInformationSystems".{{citejournal}}:Citejournalrequires|journal=(help) ^Initiative,JointTaskForceTransformation(2014-12-18)."AssessingSecurityandPrivacyControlsinFederalInformationSystemsandOrganizations:BuildingEffectiveAssessmentPlans".{{citejournal}}:Citejournalrequires|journal=(help) ^"govinfo".www.govinfo.gov.Retrieved2021-07-18. ^"FederalInformationSecurityModernizationAct|CISA".www.cisa.gov.Retrieved2021-07-18. ^Carper,ThomasR.(2014-12-18)."Text-S.2521-113thCongress(2013-2014):FederalInformationSecurityModernizationActof2014".www.congress.gov.Retrieved2021-07-18. ^ITRiskManagementFrameworkforBusinessContinuitybyChangeAnalysisofInformationSystem ^AnEmpiricalStudyontheRiskFrameworkBasedontheEnterpriseInformationSystem ^abComputerSecurityDivision,InformationTechnologyLaboratory(2018-12-18)."RMFUpdate:NISTPublishesSP800-37Rev.2|CSRC".CSRC|NIST.Retrieved2021-07-26. ^[email protected](2013-11-12)."CybersecurityFramework".NIST.Retrieved2021-07-26. ^Ross,Ron;McEvilley,Michael;Oren,Janet(2018-03-21)."SystemsSecurityEngineering:ConsiderationsforaMultidisciplinaryApproachintheEngineeringofTrustworthySecureSystems".{{citejournal}}:Citejournalrequires|journal=(help) ^Force,JointTask(2020-12-10)."SecurityandPrivacyControlsforInformationSystemsandOrganizations".{{citejournal}}:Citejournalrequires|journal=(help) Externallinks[edit] NISTSpecialPublication800-37Revision1GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems RiskManagementFrameworkOverview RMFControlIndexer GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Risk_Management_Framework&oldid=1038118307" Categories:RiskmanagementUnitedStatesDepartmentofDefenseinformationtechnologyComputersecurityproceduresHiddencategories:CS1errors:missingperiodical Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Languages Addlinks