Since 2017, federal agencies have been mandated to follow the National Institute of Standards and Technology’s Cybersecurity Framework to manage cybersecurity risk. However, for years before that, feds needed to follow another NIST publication to do similar activities: the Risk Management Framework for Information Systems and Organizations.
The guide, NIST Special Publication 800-37, has been around since 2007 and was updated in December 2018. During the Obama administration, the Office of Management and Budget Circular A-130 noted that the Risk Management Framework “requires agencies to categorize each information system and the information processed, stored, and transmitted by each system based on a mission or business impact analysis.”
What Is the NIST Risk Management Framework?
What does that mean in plain English? Ron Ross, a fellow at NIST and one of the agency’s cybersecurity experts, says the RMF is intended to help agencies “select and deploy the appropriate safeguards to protect their information and their information systems.” The RMF was originally designed to help agencies comply with the Federal Information Security Modernization Act.
Over the past decade, Ross says, the RMF has evolved to include cybersecurity, privacy and supply chain risk management. Now, its main purpose is to give “discipline and structure to how organizations go about selecting the appropriate safeguards and countermeasures. The framework is the process of managing risk, and its security controls are the specific things we do to protect systems.”
The Risk Management Framework is composed of six basic steps for agencies to follow as they try to manage cybersecurity risk, according to Ross.
What Are NIST’s Risk Management Framework Steps?
- Categorize. This is the first step in the NIST risk management framework, and it forces agencies to follow the “triage concept,” Ross says, categorizing their IT and data based on how it might impact their mission, ranging from low impact to high. A low-impact system would be something that, if it were lost or compromised, would have a limited adverse impact. A moderate-impact system’s loss would be serious but not catastrophic, according to Ross. And a high-impact system’s compromise would result in severe or catastrophic effects. Agency IT leaders are required to “take an honest look” at all of their data and systems and place them into those three buckets. From there, agencies apply different security controls to their data.
Select. This is the next step, in which agencies select “an initial set of baseline security controls for the system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions,” as a NIST webpage notes. Those controls are then put into agency security and privacy plans.
Implement. The third step is to implement the security controls and document how they are being deployed throughout the agency. Many of the controls come from commercial cybersecurity solutions, Ross notes, and “a lot of that technology is built into the products.”
Assess. The fourth step is to assess the security controls “using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system,” according to NIST.
Authorize. After that, the fifth step is to authorize system operations based on the risk level to the agency’s operations and assets, individuals, other organizations and the nation, and the determination that the risk level is acceptable.
Monitor. After all of that is done, agencies must monitor and assess their security controls continuously to determine how effective they are, and must document “changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials,” according to NIST.
NIST Risk Management Framework vs. NIST Cybersecurity Framework
The NIST Cybersecurity Framework was born out of an executive order that former President Barack Obama issued in February 2013, which directed NIST to “lead the development of a framework to reduce cyber risks to critical infrastructure” in an open, transparent and collaborative manner.
That first version was issued a year later, after being reviewed by agencies, industry, state and local governments, foreign governments and companies, and academics. NIST revised the framework and issued Cybersecurity Framework Version 1.1 in April 2018. Since President Donald Trump’s May 2017 cybersecurity executive order, the framework has been mandated as the document that agency heads should use to manage cybersecurity risk.
Originally, the RMF was designed for federal agencies to follow to implement FISMA, and the Cybersecurity Framework was designed for the private sector, Ross says. Now, agencies have two mandatory frameworks to use, but NIST does not want agencies to be doing double work as they enhance cybersecurity controls, Ross says.
When NIST revised the RMF in December 2018, the agency put in place indicators of where users could turn to see where an action in the RMF corresponds to a commensurate action in the Cybersecurity Framework, Ross says. The goal is to give agencies choices on how to select controls. The RMF pushes agencies to select baseline cybersecurity controls, and the Cybersecurity Framework can be used to drive control selection as agencies tailor them for their mission environment and operations.
What Is the Purpose of NIST 800-53?
A different publication, NIST 800-53, catalogues the security and privacy controls that agencies can use.
There are 115 low-impact controls, ranging from security awareness training to time stamps, security assessments, continuous monitoring, information systems backup, risk assessments and vulnerability scanning.
There are 159 moderate-impact controls, including least privilege, remote access, contingency planning and device identification and authentication.
And there are 170 high-impact controls, including concurrent session controls, supply chain protection, denial of service protection, malicious code protection and memory protection.
Ross says he views 800-53 as a “parts bin” for agencies to protect their systems and data once they have an idea of what they want to build.
“I look at the RMD as the framework; it’s the car,” Ross says. “800-53 is the gas that goes in the car.”
What Are NIST Security Controls?
NIST tries to give agencies guidance for when and how to use low-, moderate- and high-impact controls, Ross says.
Every agency is different, he notes, ranging from banking institutions to those developing weapons systems and protecting critical infrastructure. Some have missions that are critical to national security and public safety. That can influence the technologies they are using.
“It’s a tremendous scope of diversity across there,” Ross says. “You have to have frameworks that are agile and have the breadth and depth that can stand up, at the high end, to nation-state adversaries.”
Some agencies will want to put more emphasis on firmware controls and integrity, since laptops’ basic input-output systems have been used as the basis for cyberattacks, Ross says.
“You need to know the threats out there and the vulnerabilities you have, and, if a threat should exploit that, what you should do,” Ross says.