The National Institute of Standards and Technology in partnership with the Department of Defense, the Office of the Director of National Intelligence, and the Committee on National Security Systems developed this framework in which it comprises of a 6 step process called the Risk Management Framework. It promotes near real-time risk management and ongoing information system authorization, a system in which it enables senior leaders to have the necessary information to make cost effective, risk based decisions, establishes responsibility and accountability for security controls. (NIST SP 800-37 r1, p. 1-2)

​

Step 1: Categorize the information and the information processed, stored, and transmitted by that system based on an impact analysis.

​

 

Step 2: Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

​

 

Step 3: Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

​

 

Step 4: Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

​

 

Step 5: Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, or other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

​

 

Step 6: Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.  (NIST SP 800-37 r1 p. 7-8)

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

                                  

                                             Image Source: NIST SP 800-37r1

​

​

​

​

The first component of risk management is how the organization will frame risk. It is used to produce a risk management strategy.

 

 

The second component of risk management is how the organization will assess risk.  It is to identify threats to the organization, vulnerabilities internal and external to the organization, the harm resulting from the exploit of the vulnerabilities, and the likelihood of harm will occur.

 

 

The third component of risk management is how the organization will respond to risk once risk is determined based on results of risks assessed.

 

 

The fourth component of risk management is how the organization will monitor risk over time.  (NIST SP 800-39 p. 6-7)

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

                                              Image Source: NIST SP 800-39

                                              

​

Missions and business functions defined at Tier 1 influence design and development of mission/business processes created at Tier 2 to carry out the mission/business functions.  Tier 1 provides prioritization of missions/business functions which in turn drives investment strategies and funding decisions, affecting the development of the enterprise architecture at Tier 2 and the allocations and deployment of management, operational, and technical security controls at Tier 3.

 

Tier 2 addresses risk from a mission/business process perspective and is informed by the risk context, risk decisions, and risk activities at Tier 1. Tier 2 activities directly affect the activities carried out at Tier 3.

 

Tier 3 addresses risk from an information system perspective and is guided by the risk context, risk decisions and risk activities at Tiers 1 and 2.

 

(NIST SP 800-39 p. 9-10)

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

                                                   Image Source: NIST SP 800-39

​

​

​

​

Continuous Monitoring Risk Management Final Project:

​

In this PowerPoint presentation, I discussed about the process I used to assess risk, authorize a system for operation, and monitor the system once it is in operation. My goal is to explain how I will ensure that the system remains secure in light of: 1) changes to personnel, 2) changes to the hardware/software/firmware, and/or 3) changes to the environment.

​

I will identify all aspects of the Risk Management Framework, including a plan for continuous monitoring.

​

​

​

​

 

 

 

 

 

 

Resources & References

​

Risk Management Framework

​

1. CATEGORIZE Information System – FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems)/NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories)

 

2. SELECT Security Controls – FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) / NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)

​

3. IMPLEMENT Security Controls – Many NIST SPs

​

4. ASSESS Security Controls – NIST SP 53A  (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans)

​

5. AUTHORIZE Information System – SP 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach)

​

6. MONITOR Security State – SP 800-137 (Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations) / NIST SP-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans)