The main document that describes the details of RMF is NIST Special Publication 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy".[3] This is the second revision of this document and supersedes the first revision "Guide for Applying the Risk Management Framework to Federal Information Systems".[1]
The various steps of the RMF link to several other NIST standards and guidelines, including NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations".
The RMF steps include:
Prepare to execute the RMF by establishing a context and priorities for managing security and privacy risk at organizational and system levels.[4][5]
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.[6][7][8]
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. If any overlays apply to the system they will be added in this step.[2][9]
Implement the security controls identified in step 2.[2]
Assess: a third party assesses the controls and verifies that the controls are properly applied to the system.[10]
Authorize: the information system is granted or denied an Authorization to Operate (ATO), in some cases it may be postponed while certain items are fixed. The ATO is based on the report from the Assessment phase. ATO is typically granted up to 3 years and the process needs to be repeated at the end of the period.[3]
Monitor the security controls in the information system continuously in a pre-planned fashion as documented earlier in the process.[5]
The Tentrilistic-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security.[11]
Congress later passed FISMA 2014 (Federal Information Security Modernization Act) to provide improvements over FISMA 2002 by:
Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by
Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting."[12]
FISMA required the protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity and Availability.[13] Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:
Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. This task was satisfied by FIPS Publication 199;[8]
Guidelines recommending the types of information and information systems to be included in each category. This task was satisfied by NIST Special Publication 800-60, Volumes 1 and 2;[6][7] and
Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. This task was satisfied by the development of FIPS Publication 200.[9]
During its lifecycle, an information system will encounter many types of risk that affect its overall security posture and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risks can be categorized at a high level as infrastructure, project, application, information asset, business continuity, outsourcing, external and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks pertain to the potential damage or loss of information assets and unauthorized disclosure of these assets. Business continuity risks involve maintaining a reliable system with maximum uptime. Outsourcing risks revolve around the impact of third-party suppliers meeting their requirements.[14] External risks are factors beyond the information system's control that can impact the system's security. Strategic risks are associated with the need for information system functions to align with the business strategy that the system supports.[15]
The major objectives for the update to revision 2 included the following:[16]
Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
Demonstrate how the NIST Cybersecurity Framework[17] can be aligned with the RMF and implemented using established NIST risk management processes;
Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1,[18] with the relevant tasks in the RMF;
Integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53 Revision 5.[19]
Revision 2 also added a new "Prepare" step in position zero to achieve more effective, efficient, and cost-effective security and privacy risk management processes.[16]
