NIST Cybersecurity A-Z: NIST Risk Management Framework (RMF)

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

• Prepare essential activities to prepare the organization to manage security and privacy risks
• Categorize the system and information processed, stored, and transmitted based on an impact analysis
• Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
• Implement the controls and document how controls are deployed
• Assess to determine if the controls are in place, operating as intended, and producing the desired results
• Authorize senior official makes a risk-based decision to authorize the system (to operate)
• Continuously monitor control implementation and risks to the system

This course will give you comprehensive understanding of the risk management process for all organizations. Therefore, the NIST RMF is also potentially applicable to risk management in all corporate settings. This course is a comprehensive explication of the topic of risk management and it will allow a person to understand the application and uses of the RMF content. The people who would benefit from this knowledge range from managers to all types of technical workers and specialists.

Section 2: Introduction to Organizational Security Risk Management

This section presents an overview of organizational risk management through an exploration of the types of organizational risks that senior leaders must identify, the necessity and benefits of managing those risks, and the information security regulation that senior leaders must consider as they manage risk.

Section 3: Survey of Existing Risk Management Models

This section discuss various models that can be used to implement the NIST RMF. The goal is to provide a comparative assessment of existing models and demonstrate how the NIST framework sets itself apart from other models.

Section 4: Categorize Information and Information Systems

This section begins with a definition of security impact analysis. CNSSI 1253 Security Categorization and Control Selection for National Security Systems and FIPS 199 Standards for Security Categorization of Federal Information and Information Systems are explored, compared, and contrasted as a source of guidelines for organizations to perform the information system categorization process. The major focus of this section centers around understanding the tables available in NIST SP 800- 60, Guide for Mapping Types of Information and Information Systems; the security categories; and utilizing FIPS 199 as a means of implementing the security categorization; and the information classification process of the NIST RMF.

Section 5: Select Security Controls

This section begins with an introduction of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. Further, this guideline is used for establishing security boundaries and the identification of minimum security requirements. This section also provides a discussion related to the contents of the security plan, and continuous monitoring strategy (which are two of the underlying outputs of the control selection process).

Section 6: Implement Security Controls

This section starts with a review of the system development life cycle (SDLC) and explores when activities and tasks associated with security control implementation get performed. Emphasis is placed on the standards development and acquisition processes as a means for providing details related to the development of an organizational information security architecture while at the same time integrating it into the organization’s enterprise architecture.

Section 7: Assess Security Controls

This section begins by using NIST 800-30, Guide for Conducting Risk Assessments, as a directive for a discussion of the process of security risk assessment. You will understand that security risk assessment and security control assessment are not only different processes but also complimentary in nature. The major focus of this section is on how to use NIST SP 800- 53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations—Building Effective Assessment Plans. This includes development of a security control assessment plan. The section will also demonstrate that through security control assessment based on an established plan, you will be able to identify and further disclose security risks that may exist within the organization.

Section 8: Authorize Information Systems

The first major component of this section provides a detailed discussion of the creation and dissemination of the security authorization package that includes: security plan, security assessment report, and plan of action and milestones. This section begins with a discussion of the criteria included and creation of a plan of action and milestones. You will appreciate that the plan provides the strategies for how the organization will correct security weaknesses or deficiencies identified through security control assessment.

Section 9: Monitor Security State

This section emphasizes the strategies associated with the ongoing security control assessments, remediation action strategies, procedures for implementing documentation and plan updates, implementing security status reporting procedures, strategies associated with ongoing risk determination and acceptance, and secure procedures for information system removal and decommission.

Section 10: Practical Application of the NIST RMF

This section provides specific examples of the implementation process for small-, medium-, and large-scale organizational applications. This is in the form of case studies that will be presented as model representations of the practical advantages and pitfalls of implementing the RMF as an end-to-end process. The aim of this final section is to give you a concrete understanding of the real-world issues associated with enterprise risk management, as well as to suggest pragmatic strategies for implementation of the RMF within a range of settings.

You are going the get the ultimate learning experience as every section is followed by practice test and has reading resources uploaded.