Denise Tawwab, profile picture
Uploaded byDenise Tawwab
PDF, PPTX5,149 views

Understanding the NIST Risk Management Framework: 800-37 Rev. 2

The NIST Risk Management Framework (RMF) outlined in SP 800-37 Revision 2 provides a structured approach for managing information security and privacy risks within organizations. It emphasizes the integration of security measures throughout the system development lifecycle and involves all organizational levels in risk management. The RMF consists of eight goals and seven key steps, facilitating effective risk assessment, control, and monitoring processes to maintain security and privacy compliance.

Technology
Related topics:
Risk-Management

Embed presentation

Download as PDF, PPTX
UnderstandingThe NIST Risk Management Framework – NIST SP 800-37 Revision 2 DeniseTawwab, CISSP, CCSK Information Security Risk and Compliance Consultant www.denisetawwab.com 919.339.2253 1 June 2-5, 2019 | Myrtle Beach, SC
DeniseTawwab, CISSP What We Will Cover in This Section  Background of NIST RMF  Target Audience  NIST 800-37 Fundamentals NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 2
DeniseTawwab, CISSP BACKGROUND NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND ORGANIZATIONS 3
DeniseTawwab, CISSP Joint Task Force Transformation Initiative (JTFTI)  The JTITI InteragencyWorking Group came together to produce a unified information security framework for the federal government.  JTFTI members came from:  National Institute of Standards and Technology (NIST)  Department of Defense (DOD),  Office of the Director of National Intelligence (ODNI), and  Committee on National Security Systems (CNSS)  JTFTI produced 5 core NIST FISMA documents that define the risk management process, develop the risk management framework (RMF) to improve information security, and encourage reciprocity among organizations. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 4
DeniseTawwab, CISSP 5 Core Documents  NIST SP 800-39, Managing Information Security Risk  NIST SP 800-30, Guide for Conducting Risk Assessments  NIST SP 800-37, Risk Management Framework for Information Systems and Organizations  NIST SP 800-53, Recommended Security Controls for Federal Information Systems  NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 5
DeniseTawwab, CISSP The NIST Risk Management Framework (RMF) The RMF provides a dynamic and flexible approach to  effectively manage information security and privacy risks  in diverse environments  with complex and sophisticated threats, changing missions, and system vulnerabilities. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 6
DeniseTawwab, CISSP The NIST Risk Management Framework (RMF) The NIST Risk Management Framework emphasizes risk management by:  Building security and privacy capabilities into information systems throughout the Systems Development Life Cycle (SDLC);  Maintaining awareness of the security and privacy posture of information systems on an ongoing basis through continuous monitoring processes;  Providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 7
DeniseTawwab, CISSP 8 Goals of the RMF (1 of 2) 1. Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk. 2. Emphasizes organization-wide preparation necessary to manage security and privacy risks; 3. Facilitates the categorization of information and systems; the selection, implementation, assessment, and monitoring of controls; and the authorization of information systems and common controls. 4. Promotes near real-time risk management and ongoing system and control authorization through the implementation of robust continuous monitoring processes; NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 8
DeniseTawwab, CISSP 8 Goals of the RMF (2 of 2) 5. Encourages the use of automation to provide senior leaders with the necessary information to make cost-effective, risk-based decisions for information systems supporting their missions and business functions; 6. Facilitates the seamless integration of security and privacy requirements and controls into enterprise architecture, SDLC, acquisition processes, and systems engineering processes; 7. Connects risk management processes at the organization and mission/business process levels to risk management processes at the information system level via a risk executive (function); 8. Establishes responsibility and accountability for controls implemented within information systems and inherited by those systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 9
DeniseTawwab, CISSP Reciprocity  Reciprocity is an agreement among participating organizations to accept each other’s security and privacy assessment results, to reuse system resources, or to accept each other’s assessed security and privacy posture to share information. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 10
DeniseTawwab, CISSP Communication between C-Suite and Implementers and Operators Privacy Risk Management Supply Chain Risk Management Security Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 11 Alignment with Security Engineering Processes RMF 2.0 Alignment with NIST Cybersecurity Framework
DeniseTawwab, CISSP RMF Target Audience (2 of 2)  People responsible for conducting security or privacy assessments and for monitoring information systems (control assessors, auditors, and system owners).  People with security or privacy implementation and operational responsibilities (system owners, common control providers, information owners/stewards, mission or business owners, security or privacy architects, and systems security or privacy engineers). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 13
DeniseTawwab, CISSP NIST 800-37 FUNDAMENTALS NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND ORGANIZATIONS 14
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 15
DeniseTawwab, CISSP Organization-Wide Risk Management Managing information system-related security and privacy risks is a complex undertaking that requires the involvement of the entire organization –  from senior leaders providing the strategic vision and top-level goals and objectives for the organization,  to mid-level leaders planning and managing projects,  to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 16
DeniseTawwab, CISSP Organization-Wide Risk Management Risk management is a holistic activity that is fully integrated into every aspect of the organization including:  the mission and business planning activities,  the enterprise architecture,  the SDLC processes, and  the system engineering activities. Security and Privacy requirements are clearly articulated and communicated to each organizational entity to help ensure mission and business success. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 17
DeniseTawwab, CISSP The 3 Tiers of Organization-Wide Risk Management Risk is addressed at the 3 tiers of the organization:  Level 1 – Organization level  Level 2 – Mission/business process level  Level 3 – Information system or System Component level. See NIST SP 800-39 for guidance on organization-wide risk management. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 18
DeniseTawwab, CISSP Overview of Activities at Levels 1 and 2  The activities conducted at Levels 1(organization) and 2 (mission/business process) are critical to preparing the organization to execute the RMF.  Preparation involves a wide range of activities that go beyond managing the security and privacy risks associated with operating or using specific systems and includes activities that are essential to managing security and privacy risks appropriately throughout the organization. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 19
DeniseTawwab, CISSP Overview of Activities at Levels 1 and 2 Decisions about how to manage security and privacy risks at the system level (Level 3) cannot be made in isolation. Such decisions are closely linked to decisions regarding:  Mission/business objectives of the organization;  Modernization of information systems, components, and services to adopt new and innovative technologies;  Enterprise architecture and the need to manage and reduce the complexity of systems through consolidation, optimization, and standardization (i.e., reducing the attack surface and technology footprint exploitable by adversaries);  Allocation of resources to ensure the organization can conduct its missions and business operations with a high degree of effectiveness, efficiency, and cost-effectiveness. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 20
DeniseTawwab, CISSP Levels 1 and 2 Preparation Activities (1 of 4) 1. Assigning key roles and responsibilities for risk management processes. 2. Establishing a risk management strategy and organizational risk tolerance. 3. Identifying the missions, business functions, and business processes the information system is intended to support. 4. Identifying key stakeholders that have an interest in the information system. 5. Identifying and prioritizing assets (including information assets). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 21
DeniseTawwab, CISSP Levels 1 and 2 Preparation Activities (1 of 4) 6. Understanding threats to information systems, organizations, and individuals.. 7. Conducting risk assessments. 8. Identifying and prioritizing key stakeholder protection needs and security and privacy requirements. 9. Determining systems-of-interest (i.e., authorization boundaries). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 22
DeniseTawwab, CISSP Levels 1 and 2 Preparation Activities (2 of 2) 10. Defining information systems in terms of the enterprise architecture. 11. Developing the security and privacy architectures that include controls suitable for inheritance by organizational systems (common controls). 12. Identifying, aligning, and de-conflicting requirements. 13. Allocating both security and privacy requirements to information systems and environments in which those systems operate. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 23
DeniseTawwab, CISSP NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 24
DeniseTawwab, CISSP Overview of Level 3 Activities (Information Systems)  In contrast to Level 1 and 2 activities that prepare the organization for the execution of the RMF, Level 3 addresses risk from an Information System perspective and is guided and informed by the risk decisions at the organization and mission/business process levels.  The risk decisions at Levels 1 and 2 impact the selection and implementation of controls at the system level.  System security and privacy requirements are satisfied by the selection and the implementation of controls from NIST SP 800-53. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 25
DeniseTawwab, CISSP NIST SP 800-53 Controls  Controls are traceable to the security and privacy requirements established by the organization to ensure that there is  transparency in the development of security and privacy solutions and that the  requirements are fully addressed during system design, development, implementation, and maintenance. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 26
DeniseTawwab, CISSP THE 7 STEPS INTHE RISK MANAGEMENT FRAMEWORK Prepare, Categorize, Select, Implement,Assess,Authorize, Monitor 27NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
28Risk Management Framework (NIST SP 800-37 Rev. 2)NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP More about the RMF Steps  The steps in the RMF can also be aligned with the systems security engineering processes defined in NIST SP 800-60,Vol I.  The steps can be carried out in any order.  If executing the RMF for the first time, you will likely carry out the steps in sequential order.  Once the system is in the operation and maintenance phase of the SDLC (as part of the continuous monitoring step) events may dictate non-sequential execution.  The risk management approach selected by an organization may vary on a continuum from top-down to decentralized consensus among peers; however, organizations (in all cases) use a consistent approach that is applied to risk management processes across the enterprise from the organization level to the information system level.  Senior officials must identify and secure the needed resources to complete the 800-37 risk management tasks and ensure that those resources are made available to the appropriate personnel. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 29
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  2.5 - Security and Privacy Posture  2.6 - Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 30
DeniseTawwab, CISSP INFORMATION SECURITY & PRIVACY UNDER THE RMF The 2016 Revision of OMB Circular A-130 Requires Organizations to Integrate Privacy into the RMF Process 31NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP INFORMATION SECURITY PROGRAMS VS. PRIVACY PROGRAMS Information Security Programs Information Security programs are responsible for protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability. Privacy Programs Privacy programs are responsible for ensuring compliance with applicable privacy requirements and for managing the dissemination, disclosure, or disposal (collectively referred to as “processing”) of PII. Privacy programs are responsible for managing the risks to individuals that may result from the creation, collection, use, and retention of PII; the inadequate quality or integrity of PII; and the lack of appropriate notice, transparency, or participation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 32
DeniseTawwab, CISSP The Relationship of Information Security Programs and Privacy Programs Under the RMF  The objectives of the InfoSec and Privacy programs are overlapping and complementary (CIA).  When a system processes PII, the information security program and privacy program have a shared responsibility for managing the risks to individuals that may arise from unauthorized system activity or behavior. This requires the 2 programs to collaborate when selecting, implementing, assessing,and monitoring security controls.  However, protecting individuals’ privacy cannot be achieved solely by securing PII. Not all privacy risks arise from unauthorized system activity or behavior, such as unauthorized access or disclosure of PII. Some privacy risks may result from authorized activity that is beyond the scope of information security. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 33
DeniseTawwab, CISSP Privacy Programs Implement,Assess, and Monitor Privacy Controls  To ensure compliance with applicable privacy requirements and to manage privacy risks, Privacy Programs also select, implement, assess, and monitor privacy controls.  Privacy Controls are listed in SP 800-53 Appendix J.  Organizations manage risk under the RMF from authorized processing of PII and from unauthorized system activity or behavior. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 34
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 35
DeniseTawwab, CISSP SYSTEM AND SYSTEM ELEMENTS 36NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP Systems and the SDLC  It is important to describe information systems in the context of the 5-phase SDLC and how security and privacy capabilities are implemented within the basic components of those systems. (Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal)  Take a broad view of the entire SDLC to provide a contextual relationship and linkage to architectural and engineering concepts that allow security and privacy issues to be addressed at the appropriate level of detail to help ensure that such capabilities are achieved. 37NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP What is an Information System?  Federal law defines an information system as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  ISO/IEC/IEEE 15288 defines a system as a set of interacting elements organized to achieve one or more stated purposes.  Every system operates within an environment that influences the system and its operation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 38
DeniseTawwab, CISSP System Elements  System elements include technology or machine elements, human elements, and physical or environmental elements.  Individual system elements or a combination of system elements may satisfy stated system requirements and may be implemented via hardware, software, or firmware; physical structures or devices; or people, processes, policies, and procedures.  Interconnections between system elements allow those elements to interact to produce a capability as specified by the system requirements. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 39
DeniseTawwab, CISSP System-of-Interest  The set of system elements, system element interconnections, and the environment in which the system operates.  Determines the authorization boundary for the execution of the RMF.  May be supported by one or more enabling systems that provide support during the system life cycle. The enabling systems are NOT within the authorization boundary of the system-of-interest and do not necessarily exist in the operational environment of the system-of-interest. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 40
DeniseTawwab, CISSP The RMF is Applied to an Authorization Boundary  The RMF is applied to an authorization boundary that can be conceptualized as a system-of-interest – NOT to individual system elements.  Organizations can employ component-level assessments for system elements and can take advantage of the assessment results generated during that process to support risk-based decision making for the system. Example: The Common Criteria evaluation provides independent component-level assessments for IT products. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 41
ConceptualView of the System-of-Interest 42NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP Risk Management Activities and the SDLC  Risk management activities begin early in the SDLC and continue throughout.  Help to shape the security and privacy capabilities of the system.  Ensure that the necessary controls are implemented.  Ensure that security and privacy risks are being adequately addressed on an ongoing basis.  Ensure that the authorizing officials understand the current security and privacy posture of the system in order to accept the risk. Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 43
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 44
DeniseTawwab, CISSP CONTROL ALLOCATION Common, System-Specific, and Hybrid Controls 45NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP 3 Types of Controls  System-Specific controls provide a security or privacy capability for an information system.  Common controls provide a security or privacy capability for multiple systems.  Hybrid controls have system-specific and common characteristics. 46NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP What is Control Allocation?  Control allocation is the process employed to determine whether controls are system-specific, common, or hybrid AND to assign the controls to the specific system elements responsible for providing a security or privacy capability.  Controls are allocated to a system or an organization consistent with the enterprise architecture and security or privacy architecture.  Security control allocation also occurs during the SDLC process as part of requirements engineering. See NIST SP 800-160Volume 1 for systems security engineering activities associated with system life cycle processes to achieve trustworthy, secure components, systems, and services. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 47
DeniseTawwab, CISSP Why Use Common Controls?  Organizations are encouraged to identify and implement common controls that can support multiple information systems as a common protection capability.  When common controls are used to support a specific system, they are referenced by that system as inherited controls.  Common controls promote cost-effective, efficient, and consistent security and privacy safeguards across the organization.  Common controls can simplify risk management processes and activities. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 48
DeniseTawwab, CISSP Allocation Assigns Responsibility and Accountability  Allocating controls to a system as system-specific controls, hybrid controls, or common controls, assigns responsibility and accountability to specific organizational entities for the:  development,  implementation,  assessment,  authorization, and  monitoring of those controls. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 49
DeniseTawwab, CISSP Control Allocation Produces Risk-Related Information Control Allocation produces risk-related information for senior leaders about the security and privacy posture of systems and the business processes supported by those systems.  System Security/Privacy Plans (SSP)  System Security/Privacy Assessment Report (SAR)  System Plan of Action and Milestones (POAM)  Common Controls Security/Privacy Plans, Security/Privacy Assessment Report, and Plan of Action and Milestones (POAM) This information supports authorization and ongoing authorization decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 50
51 ORGANIZATION-WIDE CONTROL ALLOCATION
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 52
DeniseTawwab, CISSP SECURITY AND PRIVACY POSTURE 53NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP What is the Security and Privacy Posture? The security and privacy posture represents the STATUS of the information systems and information resources within an organization based on information assurance resources and the capabilities in place to:  manage the defense of the organization;  comply with privacy requirements and manage privacy risks; and  react as the situation changes. Understanding the security and privacy posture of organizational information systems and the common controls that are designated for inheritance by those systems is key to the authorizing officials ability to make risk-based decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 54
DeniseTawwab, CISSP Continuous Monitoring and Assessing of Controls  The Security and Privacy posture is determined on an ongoing basis by assessing and continuously monitoring implemented controls.  The control assessments and monitoring activities provide evidence that the controls are implemented correctly, operating as intended, and satisfying the security and privacy requirements in response to business requirements, laws, regulations, policies, or standards.  Authorization officials use the security and privacy posture to determine if the risk are acceptable based on the organization’s risk management strategy and organizational risk tolerance. See RMF Prepare-Organization Level step,Task P-2. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 55
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 56
DeniseTawwab, CISSP SUPPLY CHAIN RISK MANAGEMENT 57NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP Why Supply Chain Risk Management is Needed  Organizations are becoming increasingly reliant on external providers for component products, systems, and services needed to carry out important business functions.  Organizations remain responsible and accountable for the risk incurred when using external suppliers. 58NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP Supply Chain Threats  Insertion of Counterfeits  Unauthorized Production  Tampering  Theft  Insertion of Malicious software and hardware  Shoddy manufacturing  Poor development practices NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 59
DeniseTawwab, CISSP Why Do We Have Supply Chain Risks?  Decreased visibility into (and understanding of) how the technology acquired is developed, integrated, and deployed.  Limited knowledge and/or control of the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the acquired products, systems, and services. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 60
DeniseTawwab, CISSP Challenges to Managing Supply Chain Risk  Defining the types of products, systems, and services that are outsourced.  Describing how the products, systems, and services are protected in keeping with the security and privacy requirements of the organization.  Obtaining the necessary assurances that the risk arising from outsourcing is avoided, mitigated, or accepted. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 61
DeniseTawwab, CISSP Develop a Supply Chain Risk Management Policy  Guides and informs SCRM activities.  Supports applicable organizational policies (acquisition and procurement, information security and privacy, quality, supply chain, and logistics)  Addresses the goals and objectives in the organization’s strategic plan, specific missions and business functions, and the internal and external customer requirements.  Defines the integration points for SCRM with the risk management and the SDLC processes.  Defines SCRM-related roles and responsibilities, dependencies among those roles, and interactions among the roles. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 62
DeniseTawwab, CISSP What We Will Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 63
DeniseTawwab, CISSP THE PROCESS – SUMMARY OFTHE RMF TASKS 64NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP The Structure of RMF Steps and Tasks  Each STEP in the RMF has a purpose statement, a defined set of outcomes, and a set of tasks that are carried out to achieve those outcomes.  EachTASK contains a set of potential inputs needed to execute the task and a set of potential outputs generated from task execution.  Each task describes the phase of the SDLC where task execution takes place and the risk management roles and responsibilities associated with the task.  There is a discussion section and references to provide information on how to effectively execute each task. 65NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
66
Task P-2 Risk Management Strategy  Task 2 Establish a risk management strategy for the organization that includes a determination of risk tolerance.  Potential Inputs: Organizational mission statement; organizational policies; organizational risk assumptions, constraints, priorities and trade-offs.  Potential Outputs: Risk management strategy and statement of risk tolerance.  Primary Responsibility: Head of Agency  Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.  Discussion: Risk tolerance is the level or degree of risk or uncertainty that is acceptable to an organization. Risk tolerance affects all components of the risk management process...  References: NIST Special Publication 800-30; NIST Special Publication 800-39 (Organization Level); NIST Special Publication 800-160,Volume 1 (Risk Management, Decision Management, Quality Assurance, Quality Management, Project Assessment and Control Processes); NIST Special Publication 800-161;NIST Interagency Report 8062; NIST Cybersecurity Framework (Core [Identify Function]). 67NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP 68Risk Management Framework (NIST SP 800-37 Rev. 2)
DeniseTawwab, CISSP 7 Organization - Level PREPARE Tasks  Task P-1: Risk Management Roles  Task P-2: Risk Management Strategy  Task P-3: Risk Assessment – Organization  Task P-4: Organizationally-Tailored Control Baselines  Task P-5: Common Control Identification  Task P-6: Impact-Level Prioritization (optional)  Task P-7: Continuous Monitoring Strategy NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 69
DeniseTawwab, CISSP The Purpose of the PREPARE Step  Carry out essential activities at the organization,mission and business process, and information system levels of the organization  To help prepare the organization to manage its security and privacy risks  using the Risk Management Framework. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 70
DeniseTawwab, CISSP 11 System-Level PREPARE Tasks  Task P-8: Mission or Business Focus  Task P-9: System Stakeholders  Task P-10: Asset Identification  Task P-11: Authorization Boundary  Task P-12: Information Types  Task P-13 Information Life Cycle  Task P-14: Risk Assessment – System  Task P-15: Requirements Definition  Task P-16: Enterprise Architecture  Task P-17: Requirements Allocation  Task P-18: System Registration NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 71
72 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
DeniseTawwab, CISSP Purpose of the Categorize Step  The purpose of the categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals,other organizations, and the Nation with respect to the loss of confidentiality,integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 73
DeniseTawwab, CISSP 3 CATEGORIZE Tasks  Task C-1: System Description  Task C-2: Security Categorization  Task C-3: Security Categorization Review and Approval NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 74
75 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
DeniseTawwab, CISSP Purpose of the Select Step of the RMF  The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals,other organizations,and the Nation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 76
DeniseTawwab, CISSP 6 SELECTTasks  Task S-1: Control Selection  Task S-2: Control Tailoring  Task S-3: Control Allocation  Task S-4: Documentation of Planned Control Implementations  Task S-5: Continuous Monitoring Strategy – System  Task S-6: Plan Review and Approval NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 77
78 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
DeniseTawwab, CISSP Purpose of the Implement Step of the RMF  The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 79
DeniseTawwab, CISSP 2 IMPLEMENTTasks  Task I-1: Control Implementation  Task I-2: Update Control Implementation Information NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 80
81 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
DeniseTawwab, CISSP Purpose of the Assess Step of the RMF  The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 82
DeniseTawwab, CISSP 6 ASSESS Tasks  Task A-1: Assessor Selection  Task A-2: Assessment Plan  Task A-3: Control Assessments  Task A-4: Assessment Reports (Security and Privacy)  Task A-5: Remediation Actions  Task A-6: Plan of Action and Milestones NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 83
84 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2 NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
DeniseTawwab, CISSP Purpose of the Authorize Step of the RMF  The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 85
DeniseTawwab, CISSP The 5 AUTHORIZETasks and Outcomes  Task R-1: Authorization Package  Task R-2: Risk Analysis and Determination  Task R-3: Risk Response  Task R-4: Authorization Decision  Task R-5: Authorization Reporting NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 86
DeniseTawwab, CISSP 87 NIST RISK MANAGEMENT FRAMEWORK (RMF) REV. 2
DeniseTawwab, CISSP Purpose of the Monitor Step of the RMF  The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 88
DeniseTawwab, CISSP 7 MONITOR Tasks and Outcomes  Task M-1: System and Environment Changes  Task M-2: Ongoing Assessments  Task M-3: Ongoing Risk Response  Task M-4: Authorization Updates  Task M-5: Security and Privacy Posture Reporting  Task M-6: Ongoing Authorization  Task M-7: System Disposal NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 89
DeniseTawwab, CISSP 5 Core Documents  NIST SP 800-39, Managing Information Security Risk  NIST SP 800-30, Guide for Conducting Risk Assessments  NIST SP 800-37, Risk Management Framework for Information Systems and Organizations  NIST SP 800-53, Recommended Security Controls for Federal Information Systems  NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 90
UnderstandingThe NIST Risk Management Framework – NIST SP 800-37 Revision 2 DeniseTawwab, CISSP, CCSK Information Security Risk and Compliance Consultant www.denisetawwab.com 919.339.2253 91 June 2-5, 2019 | Myrtle Beach, SC

More Related Content

PPSX
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
byNetLockSmith
 
PDF
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
byDenise Tawwab
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Introduction to NIST’s Risk Management Framework (RMF)
byDonald E. Hester
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
PPTX
Iso27001 Risk Assessment Approach
bytschraider
 
PPTX
NIST Risk Management Framework (RMF)
byJames W. De Rienzo
 
PPTX
Risk management ISO 27001 Standard
byTharindunuwan9
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
byNetLockSmith
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
byDenise Tawwab
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to NIST’s Risk Management Framework (RMF)
byDonald E. Hester
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Iso27001 Risk Assessment Approach
bytschraider
 
NIST Risk Management Framework (RMF)
byJames W. De Rienzo
 
Risk management ISO 27001 Standard
byTharindunuwan9
 

What's hot

PDF
Guide to Risk Management Framework (RMF)
byMetroStar
 
PDF
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
bySlideTeam
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
byDonald E. Hester
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PDF
ISO 27005 Risk Assessment
bySmart Assessment
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Guardium Data Activiy Monitor For C- Level Executives
byCamilo Fandiño Gómez
 
PPTX
Enterprise Security Architecture Design
byPriyanka Aash
 
PDF
Cyber Threat Intelligence
byseadeloitte
 
PDF
Information Security Risk Management
byErsoy AKSOY
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PDF
Defence in Depth Architectural Decisions
byPeter Rawsthorne
 
PPTX
RMF Roles and Responsibilities (Part 1)
byDonald E. Hester
 
PPTX
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
PPT
NIST 800-37 Certification & Accreditation Process
bytimmcguinness
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PPTX
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
PPTX
Disaster Recovery Plan
byIndeevari Ramanayake
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
Guide to Risk Management Framework (RMF)
byMetroStar
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
bySlideTeam
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
byDonald E. Hester
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
ISO 27005 Risk Assessment
bySmart Assessment
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Guardium Data Activiy Monitor For C- Level Executives
byCamilo Fandiño Gómez
 
Enterprise Security Architecture Design
byPriyanka Aash
 
Cyber Threat Intelligence
byseadeloitte
 
Information Security Risk Management
byErsoy AKSOY
 
NIST cybersecurity framework
byShriya Rai
 
Defence in Depth Architectural Decisions
byPeter Rawsthorne
 
RMF Roles and Responsibilities (Part 1)
byDonald E. Hester
 
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
NIST 800-37 Certification & Accreditation Process
bytimmcguinness
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
The Board and Cyber Security
byFireEye, Inc.
 
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
Disaster Recovery Plan
byIndeevari Ramanayake
 
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 

Similar to Understanding the NIST Risk Management Framework: 800-37 Rev. 2

PDF
Nist.sp.800 37r2
bynewbie2019
 
PPTX
L1_Introduction.pptx
byStevenTharp2
 
PDF
National Institute of Standards and Technology (NIST) Risk Management Framework
byNaushad Siddiqi
 
PPT
5757912.ppt
byMuhammad Mazhar
 
PDF
NIST.SP.800-37r2.pdf
by>hey> whee hey
 
DOCX
NIST Special Publication 800-37 Revision 2 Ris.docx
byrobert345678
 
PPTX
NISTSP80037rev2-by Beruos.pptx
byMuhammad Mazhar
 
PPTX
800-37.pptx
byAvniJain836319
 
PPTX
NISTSP80037rev2.pptx
byMuhammad Mazhar
 
PDF
NIST Framework for Information System
bynewbie2019
 
PPT
Risk Based Security and Self Protection Powerpoint
byrandalje86
 
PPTX
Risk Management for Public Cloud Projects
byAlex Mags
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
PPTX
nist_privacy_risk_workshop_6.5.17.pptx
byssuser0f83b7
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
PPTX
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
PPT
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
byInvestorideas.com
 
PPTX
nist_privacy_risk_workshop_6.5.17.pptx
byAbdulSalamSagir1
 
Nist.sp.800 37r2
bynewbie2019
 
L1_Introduction.pptx
byStevenTharp2
 
National Institute of Standards and Technology (NIST) Risk Management Framework
byNaushad Siddiqi
 
5757912.ppt
byMuhammad Mazhar
 
NIST.SP.800-37r2.pdf
by>hey> whee hey
 
NIST Special Publication 800-37 Revision 2 Ris.docx
byrobert345678
 
NISTSP80037rev2-by Beruos.pptx
byMuhammad Mazhar
 
800-37.pptx
byAvniJain836319
 
NISTSP80037rev2.pptx
byMuhammad Mazhar
 
NIST Framework for Information System
bynewbie2019
 
Risk Based Security and Self Protection Powerpoint
byrandalje86
 
Risk Management for Public Cloud Projects
byAlex Mags
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
nist_privacy_risk_workshop_6.5.17.pptx
byssuser0f83b7
 
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
byInvestorideas.com
 
nist_privacy_risk_workshop_6.5.17.pptx
byAbdulSalamSagir1
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
December Patch Tuesday
byIvanti
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
The year in review - MarvelClient in 2025
bypanagenda
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Understanding the NIST Risk Management Framework: 800-37 Rev. 2

  • 1.
    UnderstandingThe NIST RiskManagement Framework – NIST SP 800-37 Revision 2 DeniseTawwab, CISSP, CCSK Information Security Risk and Compliance Consultant www.denisetawwab.com 919.339.2253 1 June 2-5, 2019 | Myrtle Beach, SC
  • 2.
    DeniseTawwab, CISSP What WeWill Cover in This Section  Background of NIST RMF  Target Audience  NIST 800-37 Fundamentals NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 2
  • 3.
    DeniseTawwab, CISSP BACKGROUND NIST SP800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND ORGANIZATIONS 3
  • 4.
    DeniseTawwab, CISSP Joint TaskForce Transformation Initiative (JTFTI)  The JTITI InteragencyWorking Group came together to produce a unified information security framework for the federal government.  JTFTI members came from:  National Institute of Standards and Technology (NIST)  Department of Defense (DOD),  Office of the Director of National Intelligence (ODNI), and  Committee on National Security Systems (CNSS)  JTFTI produced 5 core NIST FISMA documents that define the risk management process, develop the risk management framework (RMF) to improve information security, and encourage reciprocity among organizations. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 4
  • 5.
    DeniseTawwab, CISSP 5 CoreDocuments  NIST SP 800-39, Managing Information Security Risk  NIST SP 800-30, Guide for Conducting Risk Assessments  NIST SP 800-37, Risk Management Framework for Information Systems and Organizations  NIST SP 800-53, Recommended Security Controls for Federal Information Systems  NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 5
  • 6.
    DeniseTawwab, CISSP The NISTRisk Management Framework (RMF) The RMF provides a dynamic and flexible approach to  effectively manage information security and privacy risks  in diverse environments  with complex and sophisticated threats, changing missions, and system vulnerabilities. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 6
  • 7.
    DeniseTawwab, CISSP The NISTRisk Management Framework (RMF) The NIST Risk Management Framework emphasizes risk management by:  Building security and privacy capabilities into information systems throughout the Systems Development Life Cycle (SDLC);  Maintaining awareness of the security and privacy posture of information systems on an ongoing basis through continuous monitoring processes;  Providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 7
  • 8.
    DeniseTawwab, CISSP 8 Goalsof the RMF (1 of 2) 1. Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk. 2. Emphasizes organization-wide preparation necessary to manage security and privacy risks; 3. Facilitates the categorization of information and systems; the selection, implementation, assessment, and monitoring of controls; and the authorization of information systems and common controls. 4. Promotes near real-time risk management and ongoing system and control authorization through the implementation of robust continuous monitoring processes; NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 8
  • 9.
    DeniseTawwab, CISSP 8 Goalsof the RMF (2 of 2) 5. Encourages the use of automation to provide senior leaders with the necessary information to make cost-effective, risk-based decisions for information systems supporting their missions and business functions; 6. Facilitates the seamless integration of security and privacy requirements and controls into enterprise architecture, SDLC, acquisition processes, and systems engineering processes; 7. Connects risk management processes at the organization and mission/business process levels to risk management processes at the information system level via a risk executive (function); 8. Establishes responsibility and accountability for controls implemented within information systems and inherited by those systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 9
  • 10.
    DeniseTawwab, CISSP Reciprocity  Reciprocityis an agreement among participating organizations to accept each other’s security and privacy assessment results, to reuse system resources, or to accept each other’s assessed security and privacy posture to share information. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 10
  • 11.
    DeniseTawwab, CISSP Communication betweenC-Suite and Implementers and Operators Privacy Risk Management Supply Chain Risk Management Security Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 11 Alignment with Security Engineering Processes RMF 2.0 Alignment with NIST Cybersecurity Framework
  • 12.
    DeniseTawwab, CISSP RMF TargetAudience (2 of 2)  People responsible for conducting security or privacy assessments and for monitoring information systems (control assessors, auditors, and system owners).  People with security or privacy implementation and operational responsibilities (system owners, common control providers, information owners/stewards, mission or business owners, security or privacy architects, and systems security or privacy engineers). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 13
  • 13.
    DeniseTawwab, CISSP NIST 800-37FUNDAMENTALS NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMSAND ORGANIZATIONS 14
  • 14.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 15
  • 15.
    DeniseTawwab, CISSP Organization-Wide RiskManagement Managing information system-related security and privacy risks is a complex undertaking that requires the involvement of the entire organization –  from senior leaders providing the strategic vision and top-level goals and objectives for the organization,  to mid-level leaders planning and managing projects,  to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 16
  • 16.
    DeniseTawwab, CISSP Organization-Wide RiskManagement Risk management is a holistic activity that is fully integrated into every aspect of the organization including:  the mission and business planning activities,  the enterprise architecture,  the SDLC processes, and  the system engineering activities. Security and Privacy requirements are clearly articulated and communicated to each organizational entity to help ensure mission and business success. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 17
  • 17.
    DeniseTawwab, CISSP The 3Tiers of Organization-Wide Risk Management Risk is addressed at the 3 tiers of the organization:  Level 1 – Organization level  Level 2 – Mission/business process level  Level 3 – Information system or System Component level. See NIST SP 800-39 for guidance on organization-wide risk management. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 18
  • 18.
    DeniseTawwab, CISSP Overview ofActivities at Levels 1 and 2  The activities conducted at Levels 1(organization) and 2 (mission/business process) are critical to preparing the organization to execute the RMF.  Preparation involves a wide range of activities that go beyond managing the security and privacy risks associated with operating or using specific systems and includes activities that are essential to managing security and privacy risks appropriately throughout the organization. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 19
  • 19.
    DeniseTawwab, CISSP Overview ofActivities at Levels 1 and 2 Decisions about how to manage security and privacy risks at the system level (Level 3) cannot be made in isolation. Such decisions are closely linked to decisions regarding:  Mission/business objectives of the organization;  Modernization of information systems, components, and services to adopt new and innovative technologies;  Enterprise architecture and the need to manage and reduce the complexity of systems through consolidation, optimization, and standardization (i.e., reducing the attack surface and technology footprint exploitable by adversaries);  Allocation of resources to ensure the organization can conduct its missions and business operations with a high degree of effectiveness, efficiency, and cost-effectiveness. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 20
  • 20.
    DeniseTawwab, CISSP Levels 1and 2 Preparation Activities (1 of 4) 1. Assigning key roles and responsibilities for risk management processes. 2. Establishing a risk management strategy and organizational risk tolerance. 3. Identifying the missions, business functions, and business processes the information system is intended to support. 4. Identifying key stakeholders that have an interest in the information system. 5. Identifying and prioritizing assets (including information assets). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 21
  • 21.
    DeniseTawwab, CISSP Levels 1and 2 Preparation Activities (1 of 4) 6. Understanding threats to information systems, organizations, and individuals.. 7. Conducting risk assessments. 8. Identifying and prioritizing key stakeholder protection needs and security and privacy requirements. 9. Determining systems-of-interest (i.e., authorization boundaries). NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 22
  • 22.
    DeniseTawwab, CISSP Levels 1and 2 Preparation Activities (2 of 2) 10. Defining information systems in terms of the enterprise architecture. 11. Developing the security and privacy architectures that include controls suitable for inheritance by organizational systems (common controls). 12. Identifying, aligning, and de-conflicting requirements. 13. Allocating both security and privacy requirements to information systems and environments in which those systems operate. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 23
  • 23.
    DeniseTawwab, CISSP NIST SP800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 24
  • 24.
    DeniseTawwab, CISSP Overview ofLevel 3 Activities (Information Systems)  In contrast to Level 1 and 2 activities that prepare the organization for the execution of the RMF, Level 3 addresses risk from an Information System perspective and is guided and informed by the risk decisions at the organization and mission/business process levels.  The risk decisions at Levels 1 and 2 impact the selection and implementation of controls at the system level.  System security and privacy requirements are satisfied by the selection and the implementation of controls from NIST SP 800-53. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 25
  • 25.
    DeniseTawwab, CISSP NIST SP800-53 Controls  Controls are traceable to the security and privacy requirements established by the organization to ensure that there is  transparency in the development of security and privacy solutions and that the  requirements are fully addressed during system design, development, implementation, and maintenance. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 26
  • 26.
    DeniseTawwab, CISSP THE 7STEPS INTHE RISK MANAGEMENT FRAMEWORK Prepare, Categorize, Select, Implement,Assess,Authorize, Monitor 27NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 27.
    28Risk Management Framework(NIST SP 800-37 Rev. 2)NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 28.
    DeniseTawwab, CISSP More aboutthe RMF Steps  The steps in the RMF can also be aligned with the systems security engineering processes defined in NIST SP 800-60,Vol I.  The steps can be carried out in any order.  If executing the RMF for the first time, you will likely carry out the steps in sequential order.  Once the system is in the operation and maintenance phase of the SDLC (as part of the continuous monitoring step) events may dictate non-sequential execution.  The risk management approach selected by an organization may vary on a continuum from top-down to decentralized consensus among peers; however, organizations (in all cases) use a consistent approach that is applied to risk management processes across the enterprise from the organization level to the information system level.  Senior officials must identify and secure the needed resources to complete the 800-37 risk management tasks and ensure that those resources are made available to the appropriate personnel. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 29
  • 29.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  2.5 - Security and Privacy Posture  2.6 - Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 30
  • 30.
    DeniseTawwab, CISSP INFORMATION SECURITY& PRIVACY UNDER THE RMF The 2016 Revision of OMB Circular A-130 Requires Organizations to Integrate Privacy into the RMF Process 31NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 31.
    DeniseTawwab, CISSP INFORMATION SECURITYPROGRAMS VS. PRIVACY PROGRAMS Information Security Programs Information Security programs are responsible for protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability. Privacy Programs Privacy programs are responsible for ensuring compliance with applicable privacy requirements and for managing the dissemination, disclosure, or disposal (collectively referred to as “processing”) of PII. Privacy programs are responsible for managing the risks to individuals that may result from the creation, collection, use, and retention of PII; the inadequate quality or integrity of PII; and the lack of appropriate notice, transparency, or participation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 32
  • 32.
    DeniseTawwab, CISSP The Relationshipof Information Security Programs and Privacy Programs Under the RMF  The objectives of the InfoSec and Privacy programs are overlapping and complementary (CIA).  When a system processes PII, the information security program and privacy program have a shared responsibility for managing the risks to individuals that may arise from unauthorized system activity or behavior. This requires the 2 programs to collaborate when selecting, implementing, assessing,and monitoring security controls.  However, protecting individuals’ privacy cannot be achieved solely by securing PII. Not all privacy risks arise from unauthorized system activity or behavior, such as unauthorized access or disclosure of PII. Some privacy risks may result from authorized activity that is beyond the scope of information security. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 33
  • 33.
    DeniseTawwab, CISSP Privacy ProgramsImplement,Assess, and Monitor Privacy Controls  To ensure compliance with applicable privacy requirements and to manage privacy risks, Privacy Programs also select, implement, assess, and monitor privacy controls.  Privacy Controls are listed in SP 800-53 Appendix J.  Organizations manage risk under the RMF from authorized processing of PII and from unauthorized system activity or behavior. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 34
  • 34.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 35
  • 35.
    DeniseTawwab, CISSP SYSTEM ANDSYSTEM ELEMENTS 36NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 36.
    DeniseTawwab, CISSP Systems andthe SDLC  It is important to describe information systems in the context of the 5-phase SDLC and how security and privacy capabilities are implemented within the basic components of those systems. (Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal)  Take a broad view of the entire SDLC to provide a contextual relationship and linkage to architectural and engineering concepts that allow security and privacy issues to be addressed at the appropriate level of detail to help ensure that such capabilities are achieved. 37NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 37.
    DeniseTawwab, CISSP What isan Information System?  Federal law defines an information system as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  ISO/IEC/IEEE 15288 defines a system as a set of interacting elements organized to achieve one or more stated purposes.  Every system operates within an environment that influences the system and its operation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 38
  • 38.
    DeniseTawwab, CISSP System Elements System elements include technology or machine elements, human elements, and physical or environmental elements.  Individual system elements or a combination of system elements may satisfy stated system requirements and may be implemented via hardware, software, or firmware; physical structures or devices; or people, processes, policies, and procedures.  Interconnections between system elements allow those elements to interact to produce a capability as specified by the system requirements. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 39
  • 39.
    DeniseTawwab, CISSP System-of-Interest  Theset of system elements, system element interconnections, and the environment in which the system operates.  Determines the authorization boundary for the execution of the RMF.  May be supported by one or more enabling systems that provide support during the system life cycle. The enabling systems are NOT within the authorization boundary of the system-of-interest and do not necessarily exist in the operational environment of the system-of-interest. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 40
  • 40.
    DeniseTawwab, CISSP The RMFis Applied to an Authorization Boundary  The RMF is applied to an authorization boundary that can be conceptualized as a system-of-interest – NOT to individual system elements.  Organizations can employ component-level assessments for system elements and can take advantage of the assessment results generated during that process to support risk-based decision making for the system. Example: The Common Criteria evaluation provides independent component-level assessments for IT products. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 41
  • 41.
    ConceptualView of theSystem-of-Interest 42NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 42.
    DeniseTawwab, CISSP Risk ManagementActivities and the SDLC  Risk management activities begin early in the SDLC and continue throughout.  Help to shape the security and privacy capabilities of the system.  Ensure that the necessary controls are implemented.  Ensure that security and privacy risks are being adequately addressed on an ongoing basis.  Ensure that the authorizing officials understand the current security and privacy posture of the system in order to accept the risk. Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 43
  • 43.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 44
  • 44.
    DeniseTawwab, CISSP CONTROL ALLOCATION Common,System-Specific, and Hybrid Controls 45NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 45.
    DeniseTawwab, CISSP 3 Typesof Controls  System-Specific controls provide a security or privacy capability for an information system.  Common controls provide a security or privacy capability for multiple systems.  Hybrid controls have system-specific and common characteristics. 46NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 46.
    DeniseTawwab, CISSP What isControl Allocation?  Control allocation is the process employed to determine whether controls are system-specific, common, or hybrid AND to assign the controls to the specific system elements responsible for providing a security or privacy capability.  Controls are allocated to a system or an organization consistent with the enterprise architecture and security or privacy architecture.  Security control allocation also occurs during the SDLC process as part of requirements engineering. See NIST SP 800-160Volume 1 for systems security engineering activities associated with system life cycle processes to achieve trustworthy, secure components, systems, and services. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 47
  • 47.
    DeniseTawwab, CISSP Why UseCommon Controls?  Organizations are encouraged to identify and implement common controls that can support multiple information systems as a common protection capability.  When common controls are used to support a specific system, they are referenced by that system as inherited controls.  Common controls promote cost-effective, efficient, and consistent security and privacy safeguards across the organization.  Common controls can simplify risk management processes and activities. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 48
  • 48.
    DeniseTawwab, CISSP Allocation AssignsResponsibility and Accountability  Allocating controls to a system as system-specific controls, hybrid controls, or common controls, assigns responsibility and accountability to specific organizational entities for the:  development,  implementation,  assessment,  authorization, and  monitoring of those controls. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 49
  • 49.
    DeniseTawwab, CISSP Control AllocationProduces Risk-Related Information Control Allocation produces risk-related information for senior leaders about the security and privacy posture of systems and the business processes supported by those systems.  System Security/Privacy Plans (SSP)  System Security/Privacy Assessment Report (SAR)  System Plan of Action and Milestones (POAM)  Common Controls Security/Privacy Plans, Security/Privacy Assessment Report, and Plan of Action and Milestones (POAM) This information supports authorization and ongoing authorization decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 50
  • 50.
  • 51.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 52
  • 52.
    DeniseTawwab, CISSP SECURITY ANDPRIVACY POSTURE 53NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 53.
    DeniseTawwab, CISSP What isthe Security and Privacy Posture? The security and privacy posture represents the STATUS of the information systems and information resources within an organization based on information assurance resources and the capabilities in place to:  manage the defense of the organization;  comply with privacy requirements and manage privacy risks; and  react as the situation changes. Understanding the security and privacy posture of organizational information systems and the common controls that are designated for inheritance by those systems is key to the authorizing officials ability to make risk-based decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 54
  • 54.
    DeniseTawwab, CISSP Continuous Monitoringand Assessing of Controls  The Security and Privacy posture is determined on an ongoing basis by assessing and continuously monitoring implemented controls.  The control assessments and monitoring activities provide evidence that the controls are implemented correctly, operating as intended, and satisfying the security and privacy requirements in response to business requirements, laws, regulations, policies, or standards.  Authorization officials use the security and privacy posture to determine if the risk are acceptable based on the organization’s risk management strategy and organizational risk tolerance. See RMF Prepare-Organization Level step,Task P-2. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 55
  • 55.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 56
  • 56.
    DeniseTawwab, CISSP SUPPLY CHAINRISK MANAGEMENT 57NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 57.
    DeniseTawwab, CISSP Why SupplyChain Risk Management is Needed  Organizations are becoming increasingly reliant on external providers for component products, systems, and services needed to carry out important business functions.  Organizations remain responsible and accountable for the risk incurred when using external suppliers. 58NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 58.
    DeniseTawwab, CISSP Supply ChainThreats  Insertion of Counterfeits  Unauthorized Production  Tampering  Theft  Insertion of Malicious software and hardware  Shoddy manufacturing  Poor development practices NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 59
  • 59.
    DeniseTawwab, CISSP Why DoWe Have Supply Chain Risks?  Decreased visibility into (and understanding of) how the technology acquired is developed, integrated, and deployed.  Limited knowledge and/or control of the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the acquired products, systems, and services. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 60
  • 60.
    DeniseTawwab, CISSP Challenges toManaging Supply Chain Risk  Defining the types of products, systems, and services that are outsourced.  Describing how the products, systems, and services are protected in keeping with the security and privacy requirements of the organization.  Obtaining the necessary assurances that the risk arising from outsourcing is avoided, mitigated, or accepted. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 61
  • 61.
    DeniseTawwab, CISSP Develop aSupply Chain Risk Management Policy  Guides and informs SCRM activities.  Supports applicable organizational policies (acquisition and procurement, information security and privacy, quality, supply chain, and logistics)  Addresses the goals and objectives in the organization’s strategic plan, specific missions and business functions, and the internal and external customer requirements.  Defines the integration points for SCRM with the risk management and the SDLC processes.  Defines SCRM-related roles and responsibilities, dependencies among those roles, and interactions among the roles. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 62
  • 62.
    DeniseTawwab, CISSP What WeWill Cover – Fundamentals  Organization-Wide Risk Management  Information Security and Privacy Under the RMF  System and System Elements  Control Allocation  Security and Privacy Posture  Supply Chain Risk Management NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 63
  • 63.
    DeniseTawwab, CISSP THE PROCESS– SUMMARY OFTHE RMF TASKS 64NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 64.
    DeniseTawwab, CISSP The Structureof RMF Steps and Tasks  Each STEP in the RMF has a purpose statement, a defined set of outcomes, and a set of tasks that are carried out to achieve those outcomes.  EachTASK contains a set of potential inputs needed to execute the task and a set of potential outputs generated from task execution.  Each task describes the phase of the SDLC where task execution takes place and the risk management roles and responsibilities associated with the task.  There is a discussion section and references to provide information on how to effectively execute each task. 65NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 65.
  • 66.
    Task P-2 RiskManagement Strategy  Task 2 Establish a risk management strategy for the organization that includes a determination of risk tolerance.  Potential Inputs: Organizational mission statement; organizational policies; organizational risk assumptions, constraints, priorities and trade-offs.  Potential Outputs: Risk management strategy and statement of risk tolerance.  Primary Responsibility: Head of Agency  Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.  Discussion: Risk tolerance is the level or degree of risk or uncertainty that is acceptable to an organization. Risk tolerance affects all components of the risk management process...  References: NIST Special Publication 800-30; NIST Special Publication 800-39 (Organization Level); NIST Special Publication 800-160,Volume 1 (Risk Management, Decision Management, Quality Assurance, Quality Management, Project Assessment and Control Processes); NIST Special Publication 800-161;NIST Interagency Report 8062; NIST Cybersecurity Framework (Core [Identify Function]). 67NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 67.
    DeniseTawwab, CISSP 68Risk ManagementFramework (NIST SP 800-37 Rev. 2)
  • 68.
    DeniseTawwab, CISSP 7 Organization- Level PREPARE Tasks  Task P-1: Risk Management Roles  Task P-2: Risk Management Strategy  Task P-3: Risk Assessment – Organization  Task P-4: Organizationally-Tailored Control Baselines  Task P-5: Common Control Identification  Task P-6: Impact-Level Prioritization (optional)  Task P-7: Continuous Monitoring Strategy NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 69
  • 69.
    DeniseTawwab, CISSP The Purposeof the PREPARE Step  Carry out essential activities at the organization,mission and business process, and information system levels of the organization  To help prepare the organization to manage its security and privacy risks  using the Risk Management Framework. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 70
  • 70.
    DeniseTawwab, CISSP 11 System-LevelPREPARE Tasks  Task P-8: Mission or Business Focus  Task P-9: System Stakeholders  Task P-10: Asset Identification  Task P-11: Authorization Boundary  Task P-12: Information Types  Task P-13 Information Life Cycle  Task P-14: Risk Assessment – System  Task P-15: Requirements Definition  Task P-16: Enterprise Architecture  Task P-17: Requirements Allocation  Task P-18: System Registration NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 71
  • 71.
    72 NIST RISK MANAGEMENTFRAMEWORK (RMF) REV. 2
  • 72.
    DeniseTawwab, CISSP Purpose ofthe Categorize Step  The purpose of the categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals,other organizations, and the Nation with respect to the loss of confidentiality,integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 73
  • 73.
    DeniseTawwab, CISSP 3 CATEGORIZETasks  Task C-1: System Description  Task C-2: Security Categorization  Task C-3: Security Categorization Review and Approval NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 74
  • 74.
    75 NIST RISK MANAGEMENTFRAMEWORK (RMF) REV. 2
  • 75.
    DeniseTawwab, CISSP Purpose ofthe Select Step of the RMF  The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals,other organizations,and the Nation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 76
  • 76.
    DeniseTawwab, CISSP 6 SELECTTasks Task S-1: Control Selection  Task S-2: Control Tailoring  Task S-3: Control Allocation  Task S-4: Documentation of Planned Control Implementations  Task S-5: Continuous Monitoring Strategy – System  Task S-6: Plan Review and Approval NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 77
  • 77.
    78 NIST RISK MANAGEMENTFRAMEWORK (RMF) REV. 2
  • 78.
    DeniseTawwab, CISSP Purpose ofthe Implement Step of the RMF  The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 79
  • 79.
    DeniseTawwab, CISSP 2 IMPLEMENTTasks Task I-1: Control Implementation  Task I-2: Update Control Implementation Information NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 80
  • 80.
    81 NIST RISK MANAGEMENTFRAMEWORK (RMF) REV. 2
  • 81.
    DeniseTawwab, CISSP Purpose ofthe Assess Step of the RMF  The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 82
  • 82.
    DeniseTawwab, CISSP 6 ASSESSTasks  Task A-1: Assessor Selection  Task A-2: Assessment Plan  Task A-3: Control Assessments  Task A-4: Assessment Reports (Security and Privacy)  Task A-5: Remediation Actions  Task A-6: Plan of Action and Milestones NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 83
  • 83.
    84 NIST RISK MANAGEMENTFRAMEWORK (RMF) REV. 2 NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
  • 84.
    DeniseTawwab, CISSP Purpose ofthe Authorize Step of the RMF  The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 85
  • 85.
    DeniseTawwab, CISSP The 5AUTHORIZETasks and Outcomes  Task R-1: Authorization Package  Task R-2: Risk Analysis and Determination  Task R-3: Risk Response  Task R-4: Authorization Decision  Task R-5: Authorization Reporting NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 86
  • 86.
    DeniseTawwab, CISSP 87 NIST RISKMANAGEMENT FRAMEWORK (RMF) REV. 2
  • 87.
    DeniseTawwab, CISSP Purpose ofthe Monitor Step of the RMF  The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions. NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 88
  • 88.
    DeniseTawwab, CISSP 7 MONITORTasks and Outcomes  Task M-1: System and Environment Changes  Task M-2: Ongoing Assessments  Task M-3: Ongoing Risk Response  Task M-4: Authorization Updates  Task M-5: Security and Privacy Posture Reporting  Task M-6: Ongoing Authorization  Task M-7: System Disposal NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 89
  • 89.
    DeniseTawwab, CISSP 5 CoreDocuments  NIST SP 800-39, Managing Information Security Risk  NIST SP 800-30, Guide for Conducting Risk Assessments  NIST SP 800-37, Risk Management Framework for Information Systems and Organizations  NIST SP 800-53, Recommended Security Controls for Federal Information Systems  NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations NIST SP 800-37 REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS 90
  • 90.
    UnderstandingThe NIST RiskManagement Framework – NIST SP 800-37 Revision 2 DeniseTawwab, CISSP, CCSK Information Security Risk and Compliance Consultant www.denisetawwab.com 919.339.2253 91 June 2-5, 2019 | Myrtle Beach, SC