The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems (computers and networks) developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle. [1] [2]
The main document that describes the details of RMF is NIST Special Publication 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". [3] This is the second revision of this document and supersedes the first revision "Guide for Applying the Risk Management Framework to Federal Information Systems". [1]
The various steps of the RMF link to several other NIST standards and guidelines, including NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations".
The RMF steps include:
The Tentrilistic-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security. [11]
Congress later passed FISMA 2014 (Federal Information Security Modernization Act) to provide improvements over FISMA 2002 by:
FISMA required the protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity and Availability. [13] Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:
The NIST 800-37 Risk Management Framework (RMF) is a set of cybersecurity risk management guidelines designed to help organizations manage security and privacy risks and satisfy the requirements of the Federal Information Security Modernization Act of 2014 (FISMA), the Privacy Act of 1974, OMB policies, and Federal Information Processing Standards, among other laws, regulations, and policies. [3]
During its lifecycle, an information system will encounter many types of risk that affect its overall security posture and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risks can be categorized at a high level as infrastructure, project, application, information asset, business continuity, outsourcing, external and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks pertain to the potential damage or loss of information assets and unauthorized disclosure of these assets. Business continuity risks involve maintaining a reliable system with maximum uptime. Outsourcing risks revolve around the impact of third-party suppliers meeting their requirements. [14] External risks are factors beyond the information system's control that can impact the system's security. Strategic risks are associated with the need for information system functions to align with the business strategy that the system supports. [15]
The major objectives for the update to revision 2 included the following: [16]
Revision 2 also added a new "Prepare" step in position zero to achieve more effective, efficient, and cost-effective security and privacy risk management processes. [16]
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems (computers and networks) developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle. [1] [2]
The main document that describes the details of RMF is NIST Special Publication 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". [3] This is the second revision of this document and supersedes the first revision "Guide for Applying the Risk Management Framework to Federal Information Systems". [1]
The various steps of the RMF link to several other NIST standards and guidelines, including NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations".
The RMF steps include:
The Tentrilistic-Government Act of 2002 (Public Law 107-347) entitled FISMA 2002 (Federal Information Security Management Act) was a law passed in 2002 to protect the economic and national security interests of the United States related to information security. [11]
Congress later passed FISMA 2014 (Federal Information Security Modernization Act) to provide improvements over FISMA 2002 by:
FISMA required the protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity and Availability. [13] Title III of FISMA 2002 tasked NIST with responsibilities for standards and guidelines, including the development of:
The NIST 800-37 Risk Management Framework (RMF) is a set of cybersecurity risk management guidelines designed to help organizations manage security and privacy risks and satisfy the requirements of the Federal Information Security Modernization Act of 2014 (FISMA), the Privacy Act of 1974, OMB policies, and Federal Information Processing Standards, among other laws, regulations, and policies. [3]
During its lifecycle, an information system will encounter many types of risk that affect its overall security posture and the security controls that must be implemented. The RMF process supports early detection and resolution of risks. Risks can be categorized at a high level as infrastructure, project, application, information asset, business continuity, outsourcing, external and strategic risks. Infrastructure risks focus on the reliability of computers and networking equipment. Project risks focus on budget, timeline and system quality. Application risks focus on performance and overall system capacity. Information asset risks pertain to the potential damage or loss of information assets and unauthorized disclosure of these assets. Business continuity risks involve maintaining a reliable system with maximum uptime. Outsourcing risks revolve around the impact of third-party suppliers meeting their requirements. [14] External risks are factors beyond the information system's control that can impact the system's security. Strategic risks are associated with the need for information system functions to align with the business strategy that the system supports. [15]
The major objectives for the update to revision 2 included the following: [16]
Revision 2 also added a new "Prepare" step in position zero to achieve more effective, efficient, and cost-effective security and privacy risk management processes. [16]
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)
{{
cite journal}}
: Cite journal requires |journal=
(
help)