- RMF Definition & Foundation
- Framing Security in Terms of Risk – 6 Steps
- The Amorphous Nature of the RMF
- RMF Supporting Documents
- Taking the Pain Out of FISMA Compliance
RMF Definition & Foundation
Risk Management Framework (RMF) is the name for a structured approach to implementing high security on any IT system used by the federal government, including those of hosting providers. An effort to better standardize best practices within the public sector, the RMF is an update of the Certification and Accreditation (C & A) model used previously by federal agencies, security contractors, and the Pentagon.
The Risk Management Framework is a crucial component to meeting the requirements of the Federal Information Security Management Act (FISMA compliance). Its core tenets are derived from reports issued by the Committee on National Security Systems (CNSS) and the National Institute of Standards and Technology (NIST).
“The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk,” explains NIST, defining that term as “the risk to the organization or to individuals associated with the operation of an information system.”
Risk management is critical to security. The framework makes determining appropriate controls more efficient …, enhancing consistency (though modulated by specific attributes of individual systems) throughout the federal infrastructure.
Framing Security in Terms of Risk – 6 Steps
As its name suggests, the RMF positions understanding risk as central to establishing security. The framework follows a basic step-by-step process which is usable with newly adopted systems as well as anything currently in operation:
1. Determine the category
Via an impact analysis, figure out the risk category to which a system and its data belongs. “The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization,” says NIST. “Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk.”
2. Choose controls
The category tells you what security mechanisms are needed at a minimum. Adjust and bolster the controls as appropriate.
3. Adopt the new tools
Install the tools, keeping records of everything that you do.
Analyze the controls to make sure that they have been installed adequately and are successfully performing the function for which they were selected.
Confirm that the risk presented by the environment, with all security mechanisms installed, is acceptable for authorized use.
6. Continually monitor
Monitor the system as time goes on (with assessments, analyses, and notations of changes).
The Amorphous Nature of the RMF
The National Institute of Standards and Technology notes that the six core principles or steps of the RMF provide a nutshell understanding, while the specific rules and standards issued by NIST offer a more granular view on assessments and controls.
Like risk itself, the RMF is a bit amorphous – especially true of the supporting materials. Because of that, NIST notes that sometimes one paper will reference language in another paper that has been replaced with a new version.
RMF Supporting Documents
Here are the three major categories of general supporting materials, which point to more thorough reports:
The frequently asked questions take information from numerous papers to advise on the six core concepts. The FAQ questions all fit into one of four categories, according to NIST: “general information …, fundamental knowledge needed to understand and implement the activities …, guidance to help organizations prepare for and implement the step, and step-by-step guidance [for] applying the step to individual information systems.”
- Roles and Responsibilities Charts
These charts establish what’s happening with your people, identifying who is taking charge of certain aspects.
3. Quick Start Guides
Just like a brief, to-the-point manual that comes along with a new printer or shredder, these NIST publications are nugget overviews of the reports pertaining to each RMF step. There are multiple guides for all of the steps – one from a management perspective and others directed toward the main people who will be putting systems into place.
Standardly the entities that handle categorization (step 1), for instance, are the owners of the data and the office that handles IT security. To accommodate those different audiences, advice is provided to both party types in that literature.
While these brief manuals are intended to be helpful, they are limited in scope. “The Quick Start Guides provide implementation guidance and examples on how to plan for, conduct, and document the results,” says NIST. “While the guides provide examples and sample documentation, they are not mandatory nor do they prescribe required formats.”
Taking the Pain Out of FISMA Compliance
Do you need a FISMA-compliant partner? One way to reduce your risk is to work with Superb Internet. Our team of engineers and security technicians are available every day, all day, for consultations and assistance – working with you to secure your environment and to apply appropriate FISMA security controls.
By Kent Roberts