Rethinking the Role of Compliance
Download the Guide

RMF/NIST 800-37

The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored.
REQUEST DEMO
View Blog Series

A Comprehensive, Flexible, Risk-Based Approach

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

Prepare Step

Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF
 
Outcomes: 

  • key risk management roles identified
  • organizational risk management strategy established, risk tolerance determined
  • organization-wide risk assessment
  • organization-wide strategy for continuous monitoring developed and implemented
  • common controls identified

Categorize Step

Purpose: Inform organizational risk management processes and tasks by determining the adverse impact  with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems
 
Outcomes: 

  • system characteristics documented
  • security categorization of the system and information completed
  • categorization decision reviewed/approved by authorizing official

Select Step

Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk
 
Outcomes: 

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Implement Step

Purpose: Implement the controls in the security and privacy plans for the system and organization
 
Outcomes: 

  • controls specified in security and privacy plans implemented
  • security and privacy plans updated to reflect controls as implemented

Assess Step

Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.
 
Outcomes: 

  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed

Authorize Step

Purpose: Provide  accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
 
Outcomes: 

  • authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
  • risk determination rendered
  • risk responses provided
  • authorization for the system or common controls is approved or denied

Monitor

Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
 
Outcomes: 

  • system and environment of operation monitored in accordance with continuous monitoring strategy
  • ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
  • output of continuous monitoring activities analyzed and responded to
  • process in place to report security and privacy posture to management
  • ongoing authorizations conducted using results of continuous monitoring activities

Interested to learn more?

View our blog series on a data-driven approach to the Risk Management Framework (RMF) defined in “NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations.”

In each part of this series, we’ll be discussing each step of the RMF. Summarily, we will describe the key objective of that step, typical implementation, and what it means from a data-driven perspective.

VIEW THE BLOG

Schedule Your Demo Now!

Schedule your demo today to see how Q-Compliance can transform your compliance experience.

Today’s dynamic enterprise and evolving threat landscape demand automated real-time compliance that drives improved cybersecurity and risk posture while future-proofing against emerging regulations.

Linkedin-in Twitter Youtube
Navigation
Contact Information
Get Started

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.