Risk management framework
Encyclopedia
NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation
(C&A) process into the six-step Risk Management
Framework (RMF).
The Risk Management Framework (RMF), illustrated at right, provides a disciplined and
structured process that integrates information security and risk management activities into the
system development life cycle.
The RMF steps include:
that system based on an impact analysis.
security categorization; tailoring and supplementing the security control baseline as needed
based on an organizational assessment of risk and local conditions.
information system and its environment of operation.
to which the controls are implemented correctly, operating as intended, and producing the
desired outcome with respect to meeting the security requirements for the system.
organizational operations and assets, individuals, other organizations, and the Nation
resulting from the operation of the information system and the decision that this risk is
acceptable.
assessing control effectiveness, documenting changes to the system or its environment of
operation, conducting security impact analyses of the associated changes, and reporting the
security state of the system to designated organizational officials.
Certification and Accreditation
Certification and Accreditation is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government...
(C&A) process into the six-step Risk Management
Framework (RMF).
The Risk Management Framework (RMF), illustrated at right, provides a disciplined and
structured process that integrates information security and risk management activities into the
system development life cycle.
The RMF steps include:
- Categorize the information system and the information processed, stored, and transmitted by
that system based on an impact analysis.
- Select an initial set of baseline security controls for the information system based on the
security categorization; tailoring and supplementing the security control baseline as needed
based on an organizational assessment of risk and local conditions.
- Implement the security controls and describe how the controls are employed within the
information system and its environment of operation.
- Assess the security controls using appropriate assessment procedures to determine the extent
to which the controls are implemented correctly, operating as intended, and producing the
desired outcome with respect to meeting the security requirements for the system.
- Authorize information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation
resulting from the operation of the information system and the decision that this risk is
acceptable.
- Monitor the security controls in the information system on an ongoing basis including
assessing control effectiveness, documenting changes to the system or its environment of
operation, conducting security impact analyses of the associated changes, and reporting the
security state of the system to designated organizational officials.