Running head: RISK MANAGEMENT FRAMEWORK – ASSIGNMENT 7 1

Risk Management Framework – Assignment 7

Kevin Splittgerber

University of San Diego – CSOL530

RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 2

The Risk Management Framework

Any organization that utilizes information technology in their day to day business

operations has vulnerabilities. No matter the size of the organization or operation, the systems in

use carry with it risk that needs to be identified, categorized and mitigated to limit the negative

impact on an organization in the event of a loss in confidentiality, integrity or availability (CIA).

The National Institute of Standards and Technology (NIST) developed the Risk Management

Framework (RMF) which establishes a process with which an organization may use to assess and

document systems, risks, controls and monitoring. One of the primary objectives of the RMF is

to embed security into the system development lifecycle whereby all levels and members of an

organization are cognizant of security threats and why the security controls are put into place.

The process provides a means for continuous evaluation and improvement where all levels of an

organization are aligned to the organizational goals and regulatory requirements to meet security

objectives.

The risk management framework is comprised of the following steps: Categorize

information systems, Select security controls, Implement security controls, Assess security

controls, Authorize information system and Monitor security controls. Each step takes inputs

and outputs and feed onto one another to build a continuous feedback loop that allows for

continuous improvement. This feedback loop is illustrated in Figure 1 below.

RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 3

Figure 1 Risk Management Framework NIST SP 800-37

Categorization

The Categorization step takes each system and breaks them down into sub systems based

on the various types of data generated, stored, and transmitted. Each sub system is analyzed and

categorized based on the potential impact on the organization’s mission/business function if the

system suffers a loss to one of the CIA. This step also identifies the organization’s level of

acceptance of risks, determining the level of effort and resources to be allocated to mitigate the

risks. This impact assessment describes the potential impact to the organization in 3 levels:

 Low – Limited/minor effect on operations, assets or individuals, primary business

functions may continue with effectiveness reduced.

 Moderate – Serious effect on operations, assets or individuals, primary business function

effectiveness significantly reduced, no life-threatening injuries.

RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 4

 High – Severe, catastrophic effect to one more primary business functions, major damage

to assets, financial losses, loss of life- or life-threatening injuries.

The security categorization follows this pattern: Security Category: {(Confidentiality,

Impact Level), (Integrity, Impact Level), (Availability, Impact Level)} where the Impact Level is

one of the 4 levels above. The overall security categorization of the system is based on what is

known as the high-water mark, where a sub-system with a highest impact level is used for the

impact level for the entire system. For example, if sub-system A and B has a Low impact level

to Availability, but sub-system C has a Moderate level, then the system’s Availability impact

level is Moderate. Using the security categorizations, impact level, and risk acceptance, as

inputs, the output of the categorization step is used as an input to the control selection step.

Selection

Security control selection is the second step of the risk management framework process.

Using the security categorization from step 1 as well as risk assessments, security requirements

and security strategy, a set of baseline controls for the system will be selected from the NIST

Special Publication 800-53 and then tailored to the environment of operation. The tailoring

process also documents the reasoning for removal or addition of controls due to special

circumstances. It is the responsibility of the system owner and common control provider to

select and tailor these controls. The NIST Special Publication 800-53 document identifies

security control families and different sets of baseline controls based on impact levels Low,

Moderate and High. Security control families and its components may be provided by the

organization and inherited by the system. One benefit of this is shared costs across all inheriting

systems and a common method for securing systems with similar impact levels. Some controls

are specific to the system and will be implemented by the system owners. Other controls are
RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 5

hybrid, partially implemented by the organization as a common control, and implemented by the

system. The determination of common, hybrid and system controls occur during the tailoring

activities of this step and includes documentation of the reasoning. The control selection,

tailoring and documentation is approved by the system owner and common control provider and

used as input for the implementation step of the RMF.

Implementation

Security control implementation is the third step of the RMF. This process is laid out in

the NIST Special Publication 800-160 Volume 1 and NIST Special Publication 800-37 Revision

2. The control implementation step uses inputs from the approved security and privacy controls

selected from the second step of this white paper, as well as risk assessments, impact

assessments, system and security architecture information and system environment information

to produce the implemented controls. The system owner, common control provider will be the

primary responsible party for implementing security and privacy controls.

Assessment

Security control assessment is the fourth step of the risk management framework. This

process is laid out in the National Institute of Standards and Technology (NIST) Special

Publication 800-30, NIST Special Publication 800-37 Revision 2 and NIST Special Publication

800-53A revision 4. Using NIST Special Publication 800-53A rev. 4 for guidance, the control

assessment step uses inputs from the risk frame step, mission and business functions using the

security control, and the results from the implementation step included in this white paper. Other

inputs including adversaries and adversary threat capabilities are also considered during the

assessment phase. The result of the process is the Security Assessment Report (SAR). The SAR

documents the findings including compliance or non-compliance with the assigned security
RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 6

controls. This then feeds into the Plan of Action & Milestones (POA&M). It is very important

that this step of the risk management framework be completed whenever any changes in the

security architecture and/or environment are made. This is important because assurance, or trust

in the system, can only be made after verification that the system is working as planned, and that

the environment of operation and associated threats and vulnerabilities are addressed, either

through mitigating security controls, or acceptance of residual risk. Any changes to the system

or environment require re-assessment.

The completed risk assessment results in an overall improvement to the security of the

organization, including the benefit to systems that inherit from common controls where

vulnerabilities and gaps are identified, and remediation steps are to be taken. The security risk

assessment and POA&M reports are communicated to the organization executives, system

owners and privacy and security team members.

Authorization

Security control authorization is the fifth step of the risk management framework. This

process is laid out in the NIST Special Publication 800-37. The authorization step is the

culmination of the previous four RMF steps where the authorization package informs the

authorization or denial to operate or use information systems or common controls. The

authorization package contains the system’s security and privacy plans, implementation plan,

security assessment reports, and the plan of action and milestones. There are several results of

the authorization process. Authorization to Operate (ATO), Interim Approval to Test (IATT),

Denial of Authorization to Operate (DATO). If authorized to operate, the information system is

cleared for use by the organization and related parties for a period after the authorization date. If

denied authorized to operate, the system owners and security team will begin decommissioning
RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 7

of the system, or potentially authorize to operate when risks are acceptable, or conditions exist

that make risks acceptable to the CIO. The value in this step is that the authorization package,

when inherited, informs the inheriting controls of the environment and level of security it is

tailored for and the dependencies the system needs to operate.

Monitoring

Continuous Monitoring is the sixth and final step of the risk management framework.

The NIST Special Publication 800-37 documents the process and desired results of continuous

monitoring. There are several tasks in continuous monitoring: track changes to system and

environment, ongoing assessment, ongoing risk response, authorization package updates, reports

to senior leadership of security and privacy, ongoing authorization, system disposal. The

importance of this step is to ensure that the system and environment the system is intended to

operate in are still within the expected design parameters, and if the system can no longer

function within the environment, the system has a process for decommissioning where security

and privacy is still maintained. If a system or environment is changed, assessments, response

and re-authorization is needed for assurance that the security and privacy goals of the system

continues to be met. Included in tracking changes to the system or environment is detecting that

changes have been made. Unauthorized changes by internal staff not following procedure, or

unauthorized changes via attack. Detection of an event triggers several responses: incident

response, adjustment to risk, prevention and detection tools and any security controls and/or

remedial training of staff to follow established system modification procedures.

When any change to the system occurs, the system will then be re-assessed and

authorized. Due to the fast, dynamic environment in today’s technology space, utilizing

automation whenever possible will ensure that security and privacy standards are met. Updating
RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 8

server operating systems, patching critical software, monitoring network traffic and event logs.

Having automated systems will keep team member’s time free from the monotony of checking

versions, manually updating client machines, or trying to piece together related events from

event logs. A highly integrated, automated continuous monitoring system may pool knowledge

from disparate systems and capture and report conditions in near real time. For example, if there

is a change in personnel, a system such as this will ensure that the outgoing team member’s

authorizations are properly removed from all systems and alert security team members if the

deactivated account attempts to access a secured physical space or information system. A

change in configuration such as hardware, software or firmware will necessitate a re-assessment

to ensure that privacy and security standards are met. An automated configuration management

system may automatically upgrade and patch hardware and software systems to be up to latest

approved versions. An automated system may also run automated testing to ensure that the

system is proven to meet standards for compliance and working as intended in its environment.

A more complicated issue situation to account for is when the environment of operation

changes. For example, when external personnel such as contractors are brought into the

workplace. When a change to environment occurs, all systems in the environment are affected

and, as expected, affected systems must be re-assessed and re-authorized. Contractors working

in house will require that access control is limited to the least privilege for each account. File

shares limited to only what the contractor needs access to. Automated configuration will ensure

that this is simple, and intrusion protection and intrusion protection systems will automatically

catch anyone attempting to gain access to an area they shouldn’t. Systems such as these will be

of benefit to an organization for a variety of situations.

RISK MANAGEMENT FRAMEWORK - ASSIGNMENT 7 9

References

United States, U.S. Department of Commerce. (2014, December). NIST Special Publication 800-
53A Revision 4 Assessing Security and Privacy Controls in Federal Information Systems and
Organizations. Retrieved August 21, 2019 from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

United States, U.S. Department of Commerce. (2018, December). NIST Special Publication 800-
37 Revision 2 Risk Management Framework for Information Systems and Organizations A
System Life Cycle Approach for Security and Privacy. Retrieved August 27, 2019 from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Symantec. (2018). Internet Security Threat Report, Volume 23 [Brochure]. Author. Retrieved
July 15, 2019, from http://images.mktgassets.symantec.com/Web/Symantec/{3a70beb8-c55d-
4516-98ed-1d0818a42661}_ISTR23_Main-FINAL-APR10.pdf

Draft NIST Special Publication 800-37 Revision 5 Security and Privacy Controls for Information
Systems and Organizations. (2017, August). Retrieved August 10, 2019, from
https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-
draft.pdf

FIPS PUB 199 Standards for Security Categorization of Federal Information and Information
Systems. (2004, February). Retrieved August 10, 2019 from
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

United States, U.S. Department of Commerce. (2012, September). NIST Special Publication
800-30 Revision 1 Guide for Conducting Risk Assessments. Retrieved August 21, 2019 from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Ross, R., McEvilley, M., & Oren, J. C. (2016, November). Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure
Systems Retrieved August 19, 2019 from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf

United States, U.S. Department of Commerce. (2006, March). Minimum Security Requirements
for Federal Information and Information Systems. Retrieved August 16, 2019, from
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf