Scribd
Upload
158 views1 page

Nist RMF

The NIST Risk Management Framework outlines a process for identifying, assessing, and managing cybersecurity risks to federal information systems. It involves tasks such as identifying system characteristics, selecting provisional impact levels, reviewing and finalizing impact levels, assigning security categories, selecting applicable security controls, implementing controls, assessing controls, and authorizing systems. The goal is to help agencies manage risk to systems and information.

Uploaded by

Diego
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
158 views1 page

Nist RMF

The NIST Risk Management Framework outlines a process for identifying, assessing, and managing cybersecurity risks to federal information systems. It involves tasks such as identifying system characteristics, selecting provisional impact levels, reviewing and finalizing impact levels, assigning security categories, selecting applicable security controls, implementing controls, assessing controls, and authorizing systems. The goal is to help agencies manage risk to systems and information.

Uploaded by

Diego
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

NIST RISK MANAGEMENT FRAMEWORK

Identify Select Review Finalize


Assign System
Information Provisional Provisional Information
Security Category
Types Impact Levels Impact Levels Impact Levels

NIST SP 800-60

TASK C-1 TASK C-2 TASK C-3 Security


System Description Security Categorization Categorization Review & Approval

AUTHORITY DOCUMENTS
Preventive
Document Manual
System Review System
System Detective NIST SP 800-53 CIS CSC 20
Categorization Categorization
Characteristics
Automatic NIST SP 800-53b PCI DSS
Systems Categorized Deterrent
CONTROL
Systems NIST CSF
MATRIX ISO 27002
Corrective Physical
ISO 27001 ISO 27018
Compensating Technical
TASK M-1 System and TASK M-2 TASK M-3 Ongoing TASK M-4 Authorization TASK M-5 Security TASK M-6 COBIT 2019 ISO 27701
Recovery Administrative
Environment Changes Ongoing Assessments Risk Response Package Updates and Privacy Reporting Ongoing Authorization

Update Report System


Monitor Systems Risk Assessment Risk Treatment
Documentation System Status Authorization Baseline
Approach
CATEGORIZE TASK S-5 Continous
SYSTEMS Monitoring Strategy
TASK M-7
System Disposal

MONITOR SELECT Allocate Controls to Document Control Review Security &


Select Controls Tailor Controls
CONTROLS CONTROLS Systems and Assets Implementations Privacy Plans
System Disposal
Security & Approved
TASK S-1 TASK S-2 TASK S-3 TASK S-4 Documentation of Privacy Plans TASK S-6 Plan Security &
PREPARE Control Selection Control Tailoring Control Allocation planned control implementation Review and Approval Privacy Plans

AUTHORIZE IMPLEMENT
SYSTEMS CONTROLS
TASK R-1 TASK R-2 Risk Analysis TASK R-3 TASK R-4
Authorization Package and Determination Risk Response Authorization Decision
Security & Executive ASSESS
Privacy Plans Summary CONTROLS TASK I-1 Control TASK I-2 Update Control
Assemble
System Implementation Implementation Information
Authorization Risk Assessment Risk Treatment
Authorization
Package

Implement Document
Security & Plan of Controls Changes
Privacy Action & Report
Assessment Milestones Authorization Approved Updated
Security & Security &
Privacy Plans Privacy Plans
NIST SP 800-53a
TASK R-5
Authorization Reporting
PRE-ASSESSMENT ASSESSMENT POST-ASSESSMENT

Prepare for Security Develop Security Conduct Security Analyze


and Privacy and Privacy and Privacy Assessment
Control Assessments Assessment Plans Assessments Reports Prepare
Prepare Systems
Organization
TASK A-1 TASK A-2 TASK A-3 TASK A-5
Assessor Selection Assessment Plan Control Assessments Remediate Actions
TASK P-1 Risk TASK P-8 Risk TASK P-15 Risk
TASK A-4 TASK A-5 Plan of Management Roles Management Roles Management Roles
Assessment Reports Action and Milestones
TASK P-2 Risk TASK P-9 Risk TASK P-16 Risk
Management Strategy Management Strategy Management Strategy

TASK P-3 Risk TASK P-10 Risk TASK P-17 Risk


Assessment Organization Assessment Organization Assessment Organization
Approved Assessment Assessment Remediation Updated
Security & Plans Reports Plans Security & TASK P-4 Controls TASK P-11 Controls TASK P-18 Controls
Privacy Plans Privacy Plans Baselines and Profiles Baselines and Profiles Baselines and Profiles

TASK P-5 Common TASK P-12 Common


Control Identification Control Identification

TASK P-6 Impact TASK P-13 Impact


Level Prioritization Level Prioritization

TASK P-7 Continous TASK P-14 Continous


Monitoring Strategy Monitoring Strategy

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

You might also like