Risk Management Framework
Compliance and Regulatory

NIST [Cybersecurity] Risk Management Framework (RMF)

Marty Tatro
by March 8, 2022

What are NIST and RMF?  

The National Institute of Standards and Technology (NIST) was founded in 1901 to remove significant challenges to U.S. industrial competitiveness due to the U.S. lagging behind other nations such as the U.K. and Germany (About NIST, n.d.).

In 2010, NIST published the Risk Management Framework (RMF), which the Department of Defense then adopted along with other federal and state agencies. It was also adopted internationally (White, 2020). While most of what the RMF deals with could be considered cybersecurity-related, the process can also assist in the strengthening of risk across the entire enterprise.

RMF describes seven steps or components that comprise the process, and they are usually accomplished in order at least the first time through. At the highest level of RMF, your organization can use the process for many assessments not related to technology, such as deciding whether to move forward with a purchase or a merger.

The steps are as follows:

  • Prepare – execution requires preparation before each step
  • Categorize – The system and information processed
  • Select – An initial set of controls
  • Implement – The controls
  • Assess – the controls to determine if they are implemented correctly
  • Authorize – the system and associated controls
  • Monitor – the system and associated controls
  • Repeat – repeat the process as a continuing monitor/update process

Note that final item– Repeat. It is not listed as a formal step but is included to reinforce the idea of using this process each time it is appropriate or during reassessments of processes that have changed or updated. If your organization has multiple business ventures under one ‘umbrella,’ you would use this same process for each. Also, multiple lines of communication would be assessed using this same process, but as separate instances, for each.

Who can use RMF?   

RMF is designed as a pathway that organizations can use to reduce risk to business processes, protect the privacy of its clients, secure communications both within and without their internal networks, and maintain the protection of financial data such as that from credit cards and bank accounts. While originally created for federal use, it is eminently suitable to small, medium, and large public organizations with a need to protect their investments.

Why use RMF?  

Evolving technology and organizational needs require constant reassessment and updating measures to secure and reinforce the barriers that protect those organizations from adverse events. The RMF cybersecurity, known as the Cybersecurity Framework (CSF), process guides those assessments along a path that can be catered to the individual situation or technology while also giving the flexibility necessary to match the organization’s risk appetite.

How does the CSF work?

At the CSF core, you will find five overall functions: Identify, Protect, Detect, Respond, and Recover. Each of these functions relates to specific components of organizational management as pertains to risk management and is in the order given as it improves the outcome of the process to follow a standard path. Before an organization can make a considered decision about any risk, it must first identify what it is trying to protect. Once identified, protective measures can be defined and implemented as needed.

Categories, subcategories, and informative references are sections within each core function. These divisions are related to specific desired outcomes for each part of that function identified as beneficial. For instance, if you are protecting credit card information entry points to your organization, you would need to know what laws, regulations, and processes are required or recommended for that entry point. These laws, regulations, and processes are found in the Informative References section of each functional item.

To give an example, below is a capture of one area within the Identify function:

Figure 1 – NIST Cybersecurity Framework Excel Example

As you can see in the image above, the Category of Asset Management is further broken down into subcategories. Each item is alpha-numerically (letters and numbers) identified to allow for greater control of the process as it is implemented or updated. For instance: I.D.AM-3 is the communication and data flow mapping of assets once identified. This same subcategory would be used for each form of communication or data flow within the organization, usually separately, to determine what needs to be protected and where that protection should best be implemented.

**Note: While there are many separate categories and subcategories within the Cybersecurity Framework, it is not necessarily true that your organization must or will use all of them or that you won’t find other areas that must be identified and protected that are not listed. Cater the process to your organizational needs.

Northstarr recommendations:

RMF and CSF may not be appropriate to your organization, but let Northstarr professionals help you with that decision if you feel it might be. We can guide your efforts, offer training and support, and validate the results of your implementation.

Don’t let risk management become an insurmountable burden for your organization; Northstarr wants to show you the path.