NIST Framework for Information System

RMF
RISK MANAGEMENT FRAMEWORK
NIST SP 800-37 Revision 2
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
2.0
1
NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY

NIST/ITL/CSD Public Comment
Process
2
 All publications produced by CSD go through the
public comment process
 Your voice will be heard!!
 Receive notifications of newly posted drafts (and more) by
subscribing at
http://csrc.nist.gov/publications/subscribe.html
 There may be one or more drafts of a given publication
 Drafts are published at
http://csrc.nist.gov/publications/PubsDrafts.htm
l
 Lengths of public comment periods vary

Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will lose
fewer toothbrushes and more diamonds.”
-McGeorge Bundy, National Security
Advisor to U.S. Presidents Kennedy and
Johnson
3

Risk can never be eliminated and so it
must be
MANAGED!!
• Managing risk doesn’t mean
• fixing everything,
• nor does it mean
• not fixing anything…
• Risk Management
is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx
4

RMF Roles and Responsibilities
5
 Senior Accountable Official for Risk Management and
Risk Executive (Function)
 Senior Agency Official for Privacy
 Authorizing Official (AO) and Designated Rep
 Senior Information Security Officer
 Common Control Provider
 System Owner
 Information Owner/Steward
 System Security/Privacy Officer
 Control Assessor

SP 800-37 Rev 2 Timeline So Far
6
 Federal interagency working group review during
spring 2017
 Extensive discussion sessions with OMB OIRA
throughout winter/spring 2017/2018
 JTF Review
 Initial Public Draft released 9 May 2018 with six
week comment period
 NIST adjudicated ~400 comments and developed FPD
 OIRA review and approval
 FPD released 2 October 2018

SP 800-37 Rev 2 Final Timeline
7
 Public comment period through 31 October 2018
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
 NIST and OIRA adjudicate FPD public comments
 NIST develops final publication
 Review by JTF
 Review and approval by OIRA
 Final publication planned for December 2018*
*Publication date dependent on OMB OIRA review and approval

RMF 2.0
CATEGORIZE
FIPS 199
SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR
SP 800-137/137A
NISTIR 8011
NISTIR 8212 & Tool
PREPARE
SP 800-18
SP 800-30
SP 800-39
SP 800-160 IMPLEMENT
Many NISTPubs
SELECT
FIPS200
SP 800-53
8

Authorization Boundaries
(Section 2.5/App G)
9
 Defines the scope of protection for systems (i.e.,
what is included with the system to be authorized
WRT information, components, people, etc.)
 Includes system hardware, software, firmware,
processes, and technologies needed to support
organizational missions/business processes
 May or may not include the environment of operation
 Is established before system security categorization and
the development of security plans

Improvements in RMF 2.0
10
 Addition of organization and system level Prepare
Step and associated tasks
 Integrates privacy risk management
 Integrates supply chain risk management
 Expansion of Authorization options
 Aligns RMF with CSF
 Aligns RMF with security engineering processes

RMF 2.0 Task Outcomes
11
Tasks Outcomes
Task I-1
CONTROL
IMPLEMENTATION
Controls specified in the security and privacy plans are
implemented.
[Cybersecurity Framework: PR.IP-1]
Systems security and privacy engineering methodologies are
used to implement the controls in the system security and
privacy plans. [Cybersecurity Framework: PR.IP-2]
Task I-2
BASELINE
CONFIGURATION
The configuration baseline is established.
[Cybersecurity Framework: PR.IP-1]
The security and privacy plans are updated based on information
obtained during the implementation of the controls.
[Cybersecurity Framework: Profile]

RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing
basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat
information; system-level risk assessment results; previous organization-level risk assessment
results; security- and privacy-related information from continuous monitoring; information
sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business
objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process
Level); NIST SP 800-161; NIST IR 8062.
New
12

Privacy is Fully Integrated into RMF
13
 In accordance with OMB Circular A-130
 Privacy in the RMF addressed in section 2.3
 Privacy called out in task text as appropriate (e.g.,
Task P-3 is to assess security and privacy risk)
 Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
 Privacy-specific detail in task discussions

RMF and CSF Alignment
14
 Inputs and Outputs reference CSF as applicable, e.g.,
CSF profile as potential output from Task P-4
 Task Outcome tables reference CSF sections, categories,
or sub-categories as applicable
 References for tasks list applicable CSF sections

Security Engineering and RMF
Alignment
15
 Task references list related 800-160 process as applicable
 Section 2.4 discusses system elements/enabling systems
and tasks focus on stakeholder requirements

Supply Chain and RMF Alignment
16
 Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
 SCRM addressed in Task discussions as applicable
 SCRM artifacts included in task Inputs and Outputs as
applicable
 SCRM responsibilities noted in Appendix D
 Supply chain risk is addressed as part of security risk

Prepare Step: Organization Level
17
 Task P-1: ID and assign people to RM roles
 Task P-2: Establish an org-wide RM strategy
 Task P-3: Assess organization-wide risk
 Task P-4: Org-wide tailored baselines (optional)
 Task P-5: Common Control identification
 Task P-6: Prioritize within impact level (optional)
 Task P-7: Organization-wide ISCM strategy

Prepare Step: System Level (1 of 2)
18
 Task P-8: ID missions/business functions and
processes to be supported by the system
 Task P-9: ID system stakeholders
 Task P-10: ID assets that require protection
 Task P-11: Determine authorization boundary
 Task P-12: ID information types

Prepare Step System Level (2 of 2)
19
 Task P-13: ID information lifecycle
 Task P-14: Assess system-level risk
 Task P-15: Define security and privacy
requirements for system and environment
 Task P-16: Determine placement within EA
 Task P-17: System registration IAW org policy

New/Revised Tasks in Existing Steps (1 of 2)
20
 Categorize, Task C-2: Review and approve
categorization results and decision
 Select, Task S-1: Allocate requirements
(expanded from identify common controls)
 Select, Task S-3: Tailor selected controls
 Select, Task S-4: Document planned
implementation details in plans
 Implement, Task I-2: Document implementation details
different from planned (config baseline)

New/Revised Tasks in Existing Steps (2 of 2)
21
 Assess, Task A-1: Select appropriate assessor
 Assess, Task A-6: POA&M (moved from Authorize)
 Authorize, Task R-2: Risk analysis added to risk
determination by AO
 Authorize, Task R-3: Respond to risk
 Authorize, Task R-5: Report the authorization
decision and significant risk as required

Authorization Options
22
 Authorization to Operate
 System Authorization (Traditional or Joint)
 Type Authorization
 Facility Authorization
 Common Control Authorization
 Authorization to Use
 Denial of Authorization
Note: Ongoing authorization supplemental
guidance
(June 2014) incorporated into Appendix F

SP 800-53 Revision 5
23
Security and Privacy Controls for Information Systems and Organizations

 Call for pre-comments spring 2016
 Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
 Federal interagency working group baseline review
during late winter/early spring 2017
 Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
 IPD published 15 August 2017
 Adjudicated ~2000 public comments as above
 FPD currently under development
24
800-53 Rev 5 Timeline So Far

800-53 Rev 5 Timeline for FPD and Final
25
 Final Public Draft (FPD) next steps:
 Review by JTF
 Review and approval by OMB OIRA
 FPD publication planned for January 2019*
 Final publication next steps:
 Adjudicate public comments on the FPD
 NIST develops final publication
 Reviews and approvals as above
 Final publication planned for Spring 2019*
*Publication date dependent on OMB OIRA review
and approval

 Complete integration of privacy controls (removal of
Appendix J with App J mapping in FPD)
 Two new Privacy Control families in IPD changed
to different new Privacy Control family in FPD
 New Supply Chain control family in FPD
 Incorporated Program Management family into
main control set
 Complete control set in Chapter 3
26
800-53 Rev 5 Changes Summary (1 of 4)

 Baselines and tailoring guidance will be placed in
new volume, SP 800-53B
 Some changes to all baselines, mostly in accordance
with suggestions from working group
 Revised/clarified/added control language and
supplemental guidance
 Streamlined front matter to focus only on the
control set and how to use it
27

 Removed lead-in entities to each control
 Focus on outcomes
 Align with security engineering
 Align with Cybersecurity Framework
 Retained entity info in a column in table (App ?)
 Reduced the federal focus
 More usable and welcoming for all sectors
 More usable and applicable for all system types
 More usable for security engineering in all sectors
28

 Rearranged appendices
 Removed priority codes
 Keywords appendix added in IPD to be removed in
FPD and provided as supplemental material
 Thorough scrub of:
 Related Controls
 References
 Glossary
 ISO 27001 Mapping
29

Security Control Structure – Revision 5
30
AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit
log processing requirements when allocating audit log storage capacity. Allocating
sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded
and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems
with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log
storage is used only in a transitory fashion until the system can communicate with the secondary or alternate
system allocated to audit log storage, at which point the audit logs are transferred. This control enhancement
is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the primary purpose
of selecting AU-9(2) is to protect the confidentiality and integrity of auditrecords.
Organizations can select either enhancement to obtain the dual benefit of increased audit log storage
capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.

Security Controls are Technology Neutral
31
 Security controls are intentionally not focused on
any specific technologies
 Security control implementations & assessment
methods will likely vary based on the technology
to which the control is being applied, e.g.:
 Cloud-based systems
 Mobile systems
 Applications
 Sensors
 “IoT”

800-53B Rev 5 Baselines
32
CNTL
NO. CONTROL NAME
PRIVAC
Y
-
RELATE
D
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful LogonAttempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14

800-53 Rev 5 Appendix Excerpt
33
CONTROL NAME
CONTROL ENHANCEMENT NAME
WITHDRAWN
PRIVACY
-
RELATE
D
IMPLEMENTE
D
BY
ASSURANCE
PL-1 Planning Policy and Procedures P O A
PL-2 Security and Privacy Plans P O A
PL-2(1) Concept of operations W Incorporated into PL-7.
PL-2(2) Functional architecture W Incorporated into PL-8.
PL-2(3) Plan and coordinate with other organizational
entities
P O A
PL-3 System Security Plan Update W Incorporated into PL-2.
PL-4 Rules of Behavior P O A
PL-4(1) Social media and networking restrictions O A
PL-5 Privacy Impact Assessment W Incorporated into RA-8.
PL-6 Security-Related ActivityPlanning W Incorporated into PL-2.
PL-7 Concept of Operations P O
PL-8 Security and PrivacyArchitectures P O A
PL-8(1) Defense-in-depth O A
PL-8(2) Supplier diversity P O A
PL-9 Central Management P O A
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O
Note: Privacy-related controls and control enhancements are not allocated to baselines in this table. See XXX for control selection and
implementation guidance

 Privacy fully integrated throughout Rev 5
 Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set
 Privacy controls added in existing families
 Most in Program Management family
 Some in other families (SA, SI)
 “Sharing” existing controls
 New privacy family: Processing Permissions (PP)
 Privacy Appendix to include:
 Mappings to OMB requirements and controls from
App J
 Summary tables
34
800-53 Rev 5 Privacy Integration

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
800-53 Rev 5 FPD Control Families
ID FAMILY ID FAMILY
AC Access Control PE Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA System and Services
Acquisition
IR Incident Response SC System & Communications
Protection
MA Maintenance SP Supply Chain Protection*
MP Media Protection SI System and Information
Integrity
*New families in Rev 5 FPD

36
 Purpose: Increase agility and reduce effort and angst due to
significant change every 3-5 years
 Web application operational immediately after R5 final
 Provides workflows for:
 Customers to propose changes to all aspects of controls
 NIST staff to review proposals and push to SMEs if
necessary
 Public comments on proposed changes
 Saving approved changes in a sandbox until next version
 JTF review, OIRA review/approval, Editorial Review Board
 Versions:
 Minor (to include errata) – planned for quarterly
 Major – planned for annually
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
800-53 Update Automation Application

Status of Other FISMA Publications
 SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
 SP 800-47 Rev 1, Managing System Information Exchanges (working
title): In progress, IPD early CY 2019 (Current version title is Security
Guide for Interconnecting Information Technology Systems)
 SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA
to incorporate CUI - Temporarily on hold
 SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
 NIST SP 800-160*, Systems Security Engineering: Volume 1 published
11- 16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
 NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
 NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned

Contact Information
Comments: sec-cert@nist.gov (goes to all of the above)
Web: csrc.nist.gov/sec-cert
Position Name
Project Leader and NIST Fellow Dr. Ron Ross
Team Lead and Senior Information
Security Specialist
Victoria Pillitteri
Senior Information Security Specialist Kelley Dempsey
Information Security Specialists Ned Goren, Jody Jacobs
Administrative Support Jeff Brewer

NIST Framework for Information System

NIST Framework for Information System

More Related Content

What's hot (20)

Similar to NIST Framework for Information System (20)

More from newbie2019 (20)

Recently uploaded (20)

NIST Framework for Information System