NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

1.      Categorization (NIST SP 800-37 Rev. 2, 2018):

In this step, information systems are categorized based on their impact levels (low, moderate, or high) regarding security and privacy. This helps determine the appropriate set of security controls.

• Objective: Understand the system’s sensitivity and risk tolerance.

2.      Control Selection, Implementation, and Assessment (NIST SP 800-37 Rev. 2, 2018):

Here, security and privacy controls are selected from the NIST Special Publication 800-53, and they are implemented within the system. The controls are then assessed to ensure they are correctly implemented and effective.

• Objective: Establish a robust security posture by implementing necessary controls. Conduct a line-by-line level assessment to validate security posture.

3.      System and Common Control Authorizations (NIST SP 800-37 Rev. 2, 2018):

This step involves obtaining authorization for the system and any common controls it shares with other systems.

The Authorizing Official (AO) evaluates the system’s security posture and grants or denies authorization to operate (ATO).

• Objective: Ensure that the system meets security requirements and is authorized to operate at the system sensitivity and risk tolerance level it was categorized at.

4.      Continuous Monitoring (NIST SP 800-37 Rev. 2, 2018):

Continuous monitoring involves ongoing assessment of security controls, system performance, and risk.

It provides near real-time risk management by monitoring security events, vulnerabilities, and changes.

• Objective: Maintain awareness of the system’s security status and respond promptly to any issues.

Why is System and Common Control Authorization Important?

System and common control authorizations are crucial because they validate that the system adheres to security requirements and is fit for operation (RMF Prepare Step: Student Guide 2022). Without proper authorization, a system may pose risks to data, privacy, and overall mission success (NIST SP 800-37 Rev. 2, 2018).

NIST Publication for Continuous Monitoring:

The detailed guidance for continuous monitoring is provided in NIST Special Publication 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This publication outlines the processes, roles, and responsibilities related to continuous monitoring. It was published in December 2018 (NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy 2018)

Risk Responses During Continuous Monitoring:

If a cyber-attack is detected or a system compromise occurs during continuous monitoring, the following risk responses are possible (NIST SP 800-37 Rev. 2, 2018):

• Mitigation/Acceptance/Transfer: Implement immediate measures to reduce the impact of an attack or compromise.

• Containment: Isolate affected components to prevent further spread.

• Recovery: Restore the system to a secure state.

• Notification: Inform relevant stakeholders.

• Investigation: Analyze the incident to understand its scope and impact.

• The Authorizing Official (AO) holds primary responsibility for deciding on or taking appropriate actions in response to such incidents.

Difference Between Continuous Monitoring and Real-Time Monitoring and Analytics:

Continuous Monitoring (as defined by NIST):

• Regularly assesses security controls and system performance on a scheduled basis.

• Provides periodic updates on risk and security status.

Example: Quarterly vulnerability scans (NIST SP 800-37 Rev. 2, 2018).

Real-Time Monitoring and Analytics:

• Monitors events and data in real time.

• Detects anomalies, threats, and attacks instantly.

Examples:

§  Intrusion Detection Systems (IDS): Detects unauthorized access attempts.

§  Network Traffic Analysis: Identifies abnormal patterns in network traffic.

In summary, RMF ensures that systems are secure, authorized, and continuously monitored, while real-time monitoring adds an extra layer of vigilance for immediate threat detection.

References

Center for Development of Security Excellence. (2022, April). RMF Prepare Step: Student Guide. CDSE.edu. https://www.cdse.edu/Portals/124/Documents/student-guides/CS101-guide.pdf

NIST Joint Task Force. (2018, December). NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. CSRC NIST SP 800-37 Rev. 2. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf