Rethinking the Role of Compliance

RMF/NIST 800-37

The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored.

A Comprehensive, Flexible, Risk-Based Approach

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

  • key risk management roles identified
  • organizational risk management strategy established, risk tolerance determined
  • organization-wide risk assessment
  • organization-wide strategy for continuous monitoring developed and implemented
  • common controls identified

Purpose: Inform organizational risk management processes and tasks by determining the adverse impact  with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

  • system characteristics documented
  • security categorization of the system and information completed
  • categorization decision reviewed/approved by authorizing official

Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk

  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Purpose: Implement the controls in the security and privacy plans for the system and organization

  • controls specified in security and privacy plans implemented
  • security and privacy plans updated to reflect controls as implemented

Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.

  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed

Purpose: Provide  accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.

  • authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
  • risk determination rendered
  • risk responses provided
  • authorization for the system or common controls is approved or denied

Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

  • system and environment of operation monitored in accordance with continuous monitoring strategy
  • ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
  • output of continuous monitoring activities analyzed and responded to
  • process in place to report security and privacy posture to management
  • ongoing authorizations conducted using results of continuous monitoring activities

Interested to learn more?

View our blog series on a data-driven approach to the Risk Management Framework (RMF) defined in “NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations.”

In each part of this series, we’ll be discussing each step of the RMF. Summarily, we will describe the key objective of that step, typical implementation, and what it means from a data-driven perspective.

Schedule Your Demo Now!

Schedule your demo today to see how Q-Compliance can transform your compliance experience.

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.