WHITE PAPER
Making the Most of the
Risk Management Framework
NIST’s six-step process is now the risk management standard across the federal government. Here’s
why agencies that want to safeguard their IT infrastructure and enhance their mission need to bring
their cybersecurity workforce fully up to speed on this highly customizable, effective framework.
Introduction
As information systems have increased in complexity and
capacity and the number and type of threats have grown over
the last decade, very few of the earliest frontline information
security tools and methodologies have maintained their
initial significance or applicability—much less become even
more relevant.
Information Assurance Certification and Accreditation
Process (DIACAP) in favor of the RMF, and a growing number
of private sector organizations, including financial institutions
and health care organizations, are now relying on the RMF on
a voluntary basis.
“The beauty of the RMF is that it’s a process that can be
applied in many different ways based on the specific
organization’s mission, the environments in which they
operate and the technologies that they use,” says Dr. Ron
Ross, a Fellow with NIST who is also the principal architect
of the RMF. “I think it has stood the test of time and will
continue to serve the organizations that rely on it because
it doesn’t force you into a particular box. It allows you to
drive the security solutions that are most appropriate for
your organization, and that’s a very powerful characteristic
of any framework.”
One high-profile exception to that reality, however, is the
Risk Management Framework (RMF), a disciplined and
structured six-step process that was first developed nearly
10 years ago by the National Institute of Standards and
Technology (NIST) to help federal agencies better protect
their information technology systems.
Initially, the RMF was used to certify and accredit (C&A)
the systems of federal civilian agencies as a mandated part
of their compliance with the Federal Information Systems
Management Act (FISMA). For the first several years, the
use of RMF as part of this C&A effort was fairly static, with
assessment and authorization taking place every three years
or whenever there was a change to the system.
Step By Step
The RMF, which is fully delineated in NIST Special Publication 800-37, is a holistic risk management process that involves six basic steps at the system level that are further
broken down into specific tasks. These steps, according to
However, the RMF was also designed from the start to be
flexible. As a result, organizations are now able to leverage
the RMF to take a much more dynamic approach to
identifying and mitigating vulnerabilities and threats and can
achieve their mission objectives by continuously monitoring
any security measures chosen and implemented to avoid,
counteract or minimize those risks.
NIST, are shown in Figure 1 on Page 3.
New and Different
With the RMF, there’s no one-size-fits-all approach. Each
individual system can be triaged according to its value to the
enterprise, and security controls can be specifically selected
and then monitored year by year, month by month, day by
day or even hour by hour, depending on the criticality of
a specific system, the organization’s risk tolerance and the
threats posed.
The DoD’s decision to adopt the RMF and mandate its
exclusive use in conducting security authorization activities
means that, for the first time, all defense, intelligence and
federal civilian agencies will be working from the same
risk management framework. And that will have a farranging impact.
Not only will DoD information security personnel have to
learn and adapt to the RMF, but civilian agencies can now
count on “reciprocity” between all federal systems, as can
government contractors and anyone else who does business
with the public sector.
This flexibility is the reason that more and more organizations
are adopting the RMF over other risk management frameworks.
The Department of Defense announced in March 2014 that
it would abandon its long-used and specialized Defense
2
NIST’s Risk Management Framework
Figure 1.
PROCESS
OVERVIEW
Architecture Description
Starting Point
Architecture Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
Organizational Inputs
Laws, Directives, Policy Guidance,
Strategic Goals and Objectives,
Priorities and Resource Availability,
Supply Chain Considerations
STEP 1
CATEGORIZE
Repeat as necessary
Information System
STEP 2
STEP 6
SELECT
MONITOR
Security Controls
Security Controls
NIST’s
RISK MANAGEMENT
FRAMEWORK
STEP 5
STEP 3
AUTHORIZE
IMPLEMENT
Information System
Security Controls
STEP 4
ASSESS
Security Controls
3
be able to come to the decisions that you come to about
whether the security program is adequate and whether the
system is ready to operate,” Kelsall says. “So we’re looking
at that across the board.”
“Everybody is going to be speaking the same language, so
that when someone at the State Department says, ‘Here’s
my risk level on this system and here are the security
controls that I’m using to measure and mitigate that risk,’ it
can be equated to connected systems on the DoD side or
within the intelligence community or at the White House,”
says Dan Waddell, CISSP, CAP, Director of U.S. Government
Affairs at (ISC)2.
“
Other key differences between DIACAP and RMF lie in
the way the security and privacy controls in NIST’s 800-53
catalog are organized and described, along with the role
descriptions and responsibilities.
“Our primary effort will be to ensure that we transition
successfully and smoothly from the Information Assurance
Manager (IAM) outlined in the DoD 8570.01M, and its
associated qualification requirements, to the Information
System Security Manager (ISSM) roles and responsibilities
required by the RMF,” says Kelsall. “We will have to look
closely at the qualification requirements for the ISSM based
on responsibilities and determine how to structure a program
that includes all the elements required and the best means
of delivering training.”
Everybody is going to be
speaking the same language,...
”
In addition, universal use of the RMF provides information
security professionals with a simpler, more business-friendly
language needed to effectively explain their efforts to
senior executives, budgetary decision-makers, acquisition
personnel, enterprise architects and other stakeholders so
that security can be fully incorporated from the top down,
rather than from the bottom up.
“
...don’t turn it into a
compliance exercise but rather
allow the flexibility that’s inherent
in the framework to drive the
solutions that you come up with.
“Security in many people’s view is a cost to the organization,
a drag, an impediment,” says Ross. “When you go at it from
the top-down, with the stakeholders sitting there talking
about the mission they have to accomplish and what is
fundamentally required to protect themselves and to make
the mission successful, then security is viewed from a very
different perspective: it’s viewed as a mission enabler, an
investment in our mission success.”
”
Civilian agencies that have been using the RMF to comply
with FISMA will find value in renewing and continuing their
training efforts on the RMF process. The process has been
revised to adapt to a new focus on continuous monitoring
and ongoing authorization, as well as new threats and
vulnerabilities. NIST’s security and privacy control catalog,
for example, added another 200-plus security measures
when it was revised in 2013.
For DoD personnel, the effort to move to the RMF is made
easier by the fact that the RMF is more similar than different
from DIACAP, though the DIACAP was encapsulated in five
phases versus the RMF’s six steps. The biggest difference is
the process and the role nomenclature, says Chris Kelsall,
DON CIO Cyberspace Workforce Branch Head.
“Our biggest concern is that although the same concepts
in RMF were in DIACAP, there’s a whole new process for
evaluation and a new way of going through the steps to
What’s more, even though RMF takes a step-by-step approach
to risk management, information security professionals need
4
framework but also for those who have used it in the past in a
more static fashion.
to guard against utilizing it in a checklist fashion, as is the
cultural tendency, says Ross. “It’s important to let the RMF
be the RMF,” Ross says. “In other words, don’t turn it into
a compliance exercise but rather allow the flexibility that’s
inherent in the framework to drive the solutions that you
come up with.”
There are many training outlets on risk assessment and
management, but the only one that is mapped specifically
to the RMF steps and the NIST guidance outlined in Special
Publications 800-37, 800-39 and 800-53 is (ISC)2’s Certified
Authorization Professional (CAP®) credential and its Common
Body of Knowledge (CBK®). CAP is ANSI accredited, and so
DoD personnel who earn the CAP credential will also satisfy
DoD 8570 compliance for IAM Levels I and II.
A broader context is required, Ross says, and civilian agencies
need to rethink the RMF by making sure they are assessing
their systems, choosing and implementing security controls
and monitoring systems even as they assess and adapt to
other factors, including the threat space, mission changes
and technology evolutions.
The CAP CBK Training Seminar covers seven domains over
a five-day period. The first domain provides a history and
overview of the RMF and then delves deeply into the tasks
and specifics of each of the six steps of the RMF process,
including how to effectively select the right security controls
and how to prepare a required document known as the
continuous monitoring strategy that must be approved by
the authorizing official.
“
You can’t base today’s
tactics on yesterday’s battle
plan because the conditions
won’t remain the same.
”
In addition, the CAP coursework provides a deep
understanding of the roles involved in the RMF process.
Rae Hayward, (ISC)2’s Director of Education and Training,
says that this is the topic that the DoD is most anxious
to learn about “since at the different stages, accurate
determination of who meets the requirements for each role
will also identify who will be responsible for categorizing the
systems and selecting the controls and then—once you get
down to operating and monitoring the system—who will be
responsible for taking action and signing off on that.”
“The RMF was really patterned after the way military
commanders assess and adapt to changing circumstances
on the battlefield: You can’t base today’s tactics on
yesterday’s battle plan because the conditions won’t
remain the same,” says Ross. “So you can no longer design
a system security plan and expect it to survive for three
years or even for three months. It’s going to have to be
modified on an ongoing basis depending on what you’re
experiencing or anticipating right now.”
To ensure that its role identification definitions are always
Mapping Knowledge to Value
up to date, (ISC)2 performs a job task analysis frequently,
and it is currently in the process of cross-mapping the roles
The RMF’s new status as the risk management standard within
the DoD and across the federal government notwithstanding,
learning to apply the RMF can seem overwhelming. That’s
why investing in training cybersecurity professionals on the
specifics of the RMF process—rather than general principles
of risk management—is critical, not just for those new to the
that existed within DIACAP to the roles as delineated within
RMF in order to help DoD personnel more easily make the
transition to RMF.
Kelsall notes that there is value to any opportunity that can
help train military personnel on the RMF process, including
5
internal training programs and CAP training. “If it makes
more sense for me to go get something that I can use
that’s already built and proven rather than trying to build
something myself, then we’ll go that way, and that will
probably be the better option for someone who’s worked
as a Designated Approval Authority under DIACAP and just
needs to get the RMF specifics,” he says.
“
If it makes more sense for me to
go get something that I can use that’s
already built and proven rather than
trying to build something myself,
then we’ll go that way,...
”
Personnel that complete CAP training can also go on
to take the exam and earn the CAP credential. By taking
this extra step, information security professionals not only
validate their RMF knowledge and skills but they are also
required to meet continuing education requirements, which
provides their organization with ongoing access to the most
up-to-date information on relevant risk assessment and
management practices.
Ross notes that the RMF’s flexibility is enabling it to continue
to evolve and grow in its relevancy and effectiveness
at helping organizations protect systems throughout
the information lifecycle. For example, NIST is currently
drafting Special Publication 800-160, which will extend
the RMF process and new security controls to the systems
engineering and software development processes.
With the adoption of RMF, the federal government is able
to unify on a standard process and set of security controls
while, at the same time, maintain unique and customized
security strategies for different environments, Ross says.
As information security professionals get up to speed
on how to effectively leverage the dynamic nature of
the RMF, it will result in the government’s overall ability
to more effectively manage risk and protect the nation’s
infrastructure.
For more information on (ISC)2’s CAP Training, visit
www.isc2.org/cap-training.
About (ISC)2®
Formed in 1989, (ISC)2 is the largest not-for-profit membership body of certified information and software security professionals
worldwide, with over 100,000 members in more than 160 countries. Globally recognized as the Gold Standard, (ISC)2
issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, as well as the Certified
Secure Software Lifecycle Professional (CSSLP®), the Certified Cyber Forensics Professional (CCFPSM), Certified Authorization
Professional (CAP®), HealthCare Information Security and Privacy Practitioner (HCISPPSM) and Systems Security Certified
Practitioner (SSCP®) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology
credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for assessing and certifying
personnel. (ISC)2 also offers education programs and services based on its CBK®, a compendium of information and software
security topics. More information is available at www.isc2.org.
© 2014, (ISC)2 Inc., (ISC)², CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CAP, SSCP and CBK are registered marks, and CCFP and
HCISPP are service marks of (ISC)2, Inc.