Jump to content

Risk Management Framework

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pmsyyz (talk | contribs) at 23:08, 14 November 2017 (cleanup). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
The Risk Management Framework (NIST Special Publication 800-37).

The Risk Management Framework is a United States federal government policy and standards to help secure information systems (computers and networks) developed by National Institute of Standards and Technology.

The two main publications cover the details of RMF are NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations".

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).

The Risk Management Framework (RMF), illustrated at right, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.[1]

The RMF steps include:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize the information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

See also

References

  1. ^ Guide for Applying the Risk Management Framework to Federal Information Systems
Retrieved from "https://en.wikipedia.org/w/index.php?title=Risk_Management_Framework&oldid=810387178"