NIST Risk Management Framework (RMF) Breakdown

As organizations consider how to protect themselves from an escalating number of cybersecurity risks, the National Institute of Standards and Technology (NIST) has developed a risk management framework designed to help companies quantify and manage their most critical risks.

While this framework was created for federal government agencies, it is considered the gold standard for risk management across both the public and private sectors. In fact, any organization, no matter what its size or industry, can use this framework to effectively manage its cybersecurity risks.

The 7 NIST risk management framework steps.

Prepare

As a first step, security professionals need to prepare all levels of the organization to manage security and privacy. This involves identifying key roles of management and responsibility, determining the organization’s risk tolerance, and assessing risk across the organization. It also requires developing an organization-wide risk management strategy that includes continuous monitoring.

Categorize

This step requires identifying and categorizing the severity of a security breach to each system across the organization. In other words, what is the impact to the organization if the confidentiality, integrity, and availability of different systems throughout the organization are compromised? By categorizing each system, organizations can determine which systems require the highest protection.

Select

After they categorize their systems, organizations need to select the security controls required to protect each system. Some security controls can be applied to multiple systems, while others are system-specific. Since different systems require different levels of protection, these controls should be documented so they can easily be tailored as the company’s needs change.

Implement

This step requires organizations to implement the right security controls to protect the confidentiality, integrity, and availability of information stored on each system—as well as the privacy of individuals. Because these controls have major implications for the operations and assets of the company, it’s critical that organizations implement safeguards in a way that meets the needs of stakeholders across the organization. It’s also critical that these protection capabilities are implemented correctly and operate as expected.  

Assess

After the security controls are selected and implemented, organizations must evaluate these safeguards to ensure they’re operating as envisioned and are achieving the desired outcomes. To accomplish this, organizations need to appoint an evaluation team charged with developing an assessment plan. This plan should include specific remediation steps to address any deficiencies.

Authorize

To authorize their risk management framework, organizations should appoint a senior management official within the organization to determine whether the operation of the system and the use of security controls, is sufficient. A senior official is especially critical for authorizing systems that process personally identifiable information. A valid authorization should be required for all critical systems and before new systems are allowed to operate.

Monitor

The last step requires continuously monitoring system risks to maintain ongoing situational awareness. To maintain near-time risk management, organizations often use automated tools to quickly analyze and respond to risks as they emerge. By continuously monitoring for security and privacy risks, organizations can easily adapt to new threats, while continually maintaining the authorization of their systems.  

A well-integrated risk management strategy.

Taken together, these seven steps provide a set of best practices for implementing a well-integrated risk management strategy. By implementing the NIST risk management framework, organizations can gain true visibility into their risk exposure, while protecting themselves from the most critical cybersecurity attacks that can jeopardize their business and the customers they serve.

As you develop your risk management strategy, SailPoint can help. Find out how SailPoint Identity Security can protect user access across your cloud enterprise.