top of page

NIST - National Institute of Standards and Technology

RMF - Risk Management Framework

NIST Special Publications [SP] 800-37 is a description of the process required for security and risk management integration within the SDLC [System Development Life Cycle].

​

Specifically to manage organizational risk for federal information systems but the general idea can be applied globally.

​

Which has been broken down to 6 steps and an overall step.

  • Prepare

  • Categorize

  • Select

  • Assess

  • Authorize

  • Monitor

​

As of 12/20/2018, NIST SP 800-37 revision 1has been replaced with revision 2. Providing various changes and updates including 7 major objective changes and a new step called Prepare.

 

 Please see the links if you would like to read more on this topics. Revision 1 Link | Revision 2 Link | Changes

​

More info

NISTSP800_37Rev2.png

Life Cycle Process

Prepare

The Prepare step is a overall step for organization and system level preparation to properly manage the Security and Privacy Risks using the RMF.

Please see more details and links below:

  • To perform an initial analysis on the the Organizational and System Levels​

​

For more info on these specific tasks please see sources below:

​

Organizational Level - Video Link

​

System Level - Video Link

Prepare Step

Categorize

The Categorize step defines the criticality / sensitivity of information systems according to their potential worse case impact to the mission / business.

Steps:

  • Analyze the system boundary (components) - Source

  • Identify the information types associated with the components

  • Provide a short description (Functionality / Type / Name / Attached)

​

Notes:

  • The highest level determines the overall criticality / impact

    • Example:

      • if the CIA [Confidentiality / Integrity / Availability] is determined as (Medium / Low / Low) then the system would be defined as Medium Criticality / Impact​

  • For more information please have a look at the following publications​

    • FIPS Publications 199, 200​

    • NIST SP 800-30, 53, 53A. 60

    • CNSS Instructions 1253

Categorize Step

Select

The Select step defines the baseline security and supplement controls that are tailored to the organization based on the Risk assessment performed.

Steps:

  • Determine baseline controls

  • Tailor the controls to the organization

  • Document the controls within a SSP [System Security Plan] more info in NIST SP 800-18

​

Notes:

  • During this step plans should also be developed for Continuous Monitoring of new systems

  • For more information please have a look at the following publications​

    • FIPS Publications 199, 200​

    • NIST SP 800-30, 53, 53A, 137

    • CNSS Instructions 1253

Select Step

Implement

The Implement step actualizes the control selected in the previous stage tailored to the organization and how it is connected.

Steps:

  • Meet with team members to discuss the responsibilities / specialties on each control

  • Document how the controls are deployed within the systems within the SSP

​

Notes:

  • Requires someone that understands how to implement the control and tailor it to the organization

  • For more information please have a look at the following publications​

    • ​FIPS Publications 199, 200​

    • NIST SP 800-30, 53, 53A, 137

    • CNSS Instructions 1253

Implement Step

Assess

The Assess step requires performing an assessment (test) on the extent of each control and determining if it is operating as intended with the desired outcome as a result within the security requirements detailed.

​

Steps:

  • Independent Assessor reviews and approves the security controls

  • Address / remediate any weaknesses / deficiencies found

  • Document findings and the remediation timeline within the SSP

​

Notes:

  • NIST SP 800-53A has documentation on how to assess the controls

  • For more information please have a look at the following publications​​

    • NIST SP 800-30, 53A, 70

Assess Step

Authorize

The Authorize step requires approving the assessment, deciding which risk is acceptable within the organization and which should be documented in a POA&M [Plan of Action & Milestones] with timeline to remediate flaws found in the assessment.

Steps:

  • Present the findings of the risk assessment / determination to the authorizer.

  • Document tasks that still need to be completed in the POA&M

​

Notes:

  • NIST SP 800-53A has documentation on how to assess the controls

  • For more information please have a look at the following publications​​​

    • OMB Memorandum 02-01 (Guidance for Preparing and Submitting Security Plans of Action and Milestones )​

    • NIST SP 800-30, 39, 53A

Authorize Step

Monitor

The Monitor step is the continuous analysis of maintaining and adapting to the various vulnerabilities, misconfigurations and technologies to ensure the security / privacy of the organization is protected.

​

Steps:

  • Monitor the current security controls and updates based on changes to the system / environment

  • Provide regular reports on the current security status and remediate any flaws found

​

Notes:

  • Automated Tools are not required but can allow for near real time protection

  • For more information please have a look at the following publications​​​

    • NIST SP 800-30, 39, 53, 53A, 137
    • CNSS Instructions 1253
Montor Step
bottom of page