NIST SP 800-37 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy

NIST SP 800-37

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

It structured into 3 level organization view, business mission and information system view.

800-37 is short for NIST SP 800-37, or NIST 800-37. 800-37 can be applied on all industry like military, airflight, etc. For IT industry it is a framework to risk management by invoking multiple NIST standards including: FIPS 199, NIST 800-53B, NIST 800-53A, etc.

ABSTRACT

Risk Management Framework (RMF) is for managing security and privacy risk, to maintain risk at an appropriate level, including:

information security categorization
control selection
implementation
assessment
authorization
monitoring

INTRODUCTION

1.1 BACKGROUND

Risk management by

promoting security and privacy capabilities throughout SDLC;
maintaining awareness of security and posture of privacy though continuous monitoring processes;
senior leaders and executives facilitate decisions on risk;

2.1 ORGANIZATION-WIDE RISK MANAGEMENT

Managing security and privacy risk involves the entire organization.

Level One

Senior leaders’ vision, goal, objectives.

Level Two

Middle level leaders planning, managing projects on developing, implementing, operating, and maintaining to support mission and business process.

Level Three

Information systems apply middle level leader’s project. Addressing risks, executing risk decision.

How to RMF(keywords: preparation)

Identifying business functions, processes of information systems;

Identifying key stakeholders(including external);

Identifying prioritizing assets(including information systems);

Understanding threats to information systems;

Understanding adverse effects on individuals;

Conducting risk assessments;

Identifying and prioritizing security and privacy requirements;

Determining authorization scopes;

Developing security and privacy architecture;

Tracing all risk controls during system software development lifecycle.

2.2 RISK MANAGEMENT FRAMEWORK STEPS AND STRUCTURE

Steps for implementing RMF.

Categorize the system by impact of loss. To learn more about please read SP 800-30 and FIPS 199.
Select (tailor) controls(related NIST 800-53B).
Implement the controls.
Assess (track) the controls.
Authorize the system or common(inherited) controls based on determination that risk is acceptable.
Monitor (track) the system and controls(related NIST 800-53A).

FLEXIBILITY IN RMF IMPLEMENTATION

Organization could do following adjustment: executing tasks in different order, emphasizing specific tasks, combining tasks, including Cyber Security Framework to enhancing RMF asks.

2.3 INFORMATION SECURITY AND PRIVACY IN THE RMF

The RMF require two programs to protect PII:

Security program

protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, availability.

Privacy program

compliance with privacy requirements to protect individuals.

2.7 SECURITY AND PRIVACY POSTURE

The security and privacy posture represents:

the status of information systems and information resources (e.g., personnel, equipment, funds, and information technology) based on information assurance resources (e.g., policies, procedures) and
the capabilities in place to manage the defense; and
comply with applicable privacy requirements and manage privacy risks; and
react as the situation changes.

2.8 SUPPLY CHAIN RISK MANAGEMENT

SCRM policy(NIST 180-161) address supply chain risks.

building trust relationships and communicating with both internal and external stakeholders.

3.2 CATEGORIZE

Tasks	Outcomes
TASK C-1 SYSTEM DESCRPTION	Create an assets list group by system with parameters: system version or release number; manufacturer and supplier information; network topology, etc.
TASK C-2 SECURITY CATEGORIZATION	Impact level of systems (see FIPS 199)
TASK C-3 APPROVAL	Approval of TASK C-1 and TASK C-2 by senior management team.

3.3 SELECT(controls)

Tasks	Outcomes
TASK S-1 to S-4 CONTROL SELECTION AND TAILORING	Selecting and tailoring controls by NIST SP 800-53B. You may create customized controls on tailoring procedure.
TASK S-5 CONTINOUS MONITORING STRATEGY	Control assessment by NIST SP 800-53A. You may create customized assessment for tailored controls on TASK S1-S4.
TASK S-6 PLAN REVIEW AND APPROVAL	Approval by senior management team.

3.4 IMPLEMENT(controls to plans)

Tasks	Outcomes
TASK I-1, I-2	Put controls into SDLC design phase, privacy plan to make sure controls are practicable. Adjusting controls if needs.

3.5 ASSESS( plans)

The step is optional since 3.3 SELECT, 3.4 IMPLEMENTATION has done most of jobs.

3.6 AUTHORIZATION( plans by senior management officials)

The step is optional since there are approval task in 3.1 CATEGORIZATION and 3.2 SELECT.

3.7 MONITOR

Tasks	Outcomes
TASK M-1 SYSTEM AND ENVIROMENT CHANGES	Updating security and privacy plan when operational environment changes such as configuration changes. Updating controls may needed.
TASK M-2, M-3, M-4, M-5	updated security and privacy assessment reports
TASK M-6	Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable.
TASK M-7	Disposal controls after system removed.

Tips

Cybersecurity Framework Profiles is another way of implementing preparing TASK P-4 in RMF.

The SDLC process is the best practice for RMF implementation.

Acronyms

SDLC, Software Development Lifecycle

SCRM, Supply Chain Risk Management

Reference

National Institute of Standards and Technology, December 2018, NIST Special Publication 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, https://doi.org/10.6028/NIST.SP.800-37r2

PNNL, November 2018, Risk Management Framework Process Map, PNNL-28347.

Veracode, 2008, Understanding NIST 800‐37 FISMA Requirements.