Qmulos will be publishing a six-part blog series on a data-driven approach to the Risk Management Framework (RMF) defined in “NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations.”

Why use a data-driven RMF approach?

A data-driven approach to RMF uses data automatically collected from your IT environment to streamline, automate, and inform decision-making to manage the cybersecurity risks with developing and operating your information systems. Traditional approaches focus on documenting and reviewing implementation statements along with static snapshots of technical evidence to assess if security controls are correctly implemented and operating effectively. As a result, this creates hundreds of pages of documentation based on outdated data, and provides little actual security value. Rather than just reviewing implementation statements and taking a “trust me” approach, a data-driven approach uses the machine data (e.g. logs, configuration settings, events, transactions, etc.) that’s automatically collected from your systems so that you can continuously monitor and verify that the controls are providing the required levels of protection.

In each part of this series, we’ll be discussing each step of the RMF. Summarily, we will describe the key objective of that step, typical implementation, and what it means from a data-driven perspective. Furthermore, we’ll discuss how our flagship continuous monitoring and compliance automation solution Q-Compliance enables a data-driven approach to implement that particular step of the RMF. Finally, we will explain how traditional approaches and GRC tools implement that step, and highlight benefits of the data-driven approach. Stay tuned, bookmark this page and check back regularly for links to each part as we publish them.

1. Part 1 – Categorize
2. Part 2 – Select
3. Part 3 – Implement
4. Part 4 – Assess
5. Part 5 – Authorize
6. Part 6 – Monitor