THE NEED TO MANAGE SECURITY AND PRIVACY RISK
Organizations depend on information systems1 to carry out their missions and business functions. The success of the missions and business functions depends on protecting the confidentiality, integrity, availability of information processed, stored, and transmitted by those systems and the privacy of individuals. The threats to information systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks that are often sophisticated, disciplined, well-organized, and well-funded.2 When successful, attacks on information systems can result in serious or catastrophic damage to organizational operations3 and assets, individuals, other organizations, and the Nation.4 Therefore, it is imperative that organizations remain vigilant and that senior executives, leaders, and managers throughout the organization understand their responsibilities and are accountable for protecting organizational assets and for managing risk.5
In addition to the responsibility to protect organizational assets from the threats that exist in today’s environment, organizations have a responsibility to consider and manage the risks to individuals when information systems process personally identifiable information (PII).6 7 The information security and privacy programs implemented by organizations have complementary objectives with respect to managing the confidentiality, integrity, and availability of PII. While many privacy risks arise from unauthorized activities that lead to the loss of confidentiality, integrity, or availability of PII, other privacy risks result from authorized activities involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of PII that enables an organization to meet its mission or business objectives. For example, organizations could fail to provide appropriate notice of PII processing depriving an individual of knowledge of such processing or an individual could be embarrassed or stigmatized by the authorized disclosure of PII. While managing privacy risk requires close coordination between information security and privacy programs due to the complementary nature of the programs’ objectives around the confidentiality, integrity, and availability of PII, privacy risks also raise distinct concerns that require specialized expertise and approaches. Therefore, it is critical that organizations also establish and maintain robust privacy programs to ensure compliance with applicable privacy requirements and to manage the risk to individuals associated with the processing of PII.
1 An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information [44 USC 3502]. The term information system includes, for example, general-purpose computing systems; industrial/process control systems; cyber-physical systems; weapons systems; super computers; command, control, and communications systems; devices such as smart phones and tablets; environmental control systems; embedded devices/sensors; and paper-based systems.
2 Defense Science Board Task Force Report, Resilient Military Systems and the Advanced Cyber Threat [DSB 2013].
3 Organizational operations include mission, functions, image, and reputation.
4 Adverse impacts include, for example, compromises to systems supporting critical infrastructure applications or that are paramount to government continuity of operations as defined by the Department of Homeland Security.
5 Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. Risk is also a function of the adverse impacts that arise if the circumstance or event occurs, and the likelihood of occurrence. Types of risk include program risk; compliance/regulatory risk; financial risk; legal risk; mission/business risk; political risk; security and privacy risk (including supply chain risk); project risk; reputational risk; safety risk; strategic planning risk.
6 [OMB A-130] defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
7 Organizations may also choose to consider risks to individuals that may arise from interactions with information systems, where the processing of PII may be less impactful than the effect the system has on individuals’ behavior or activities. Such effects would constitute risks to individual autonomy and organizations may need to take steps to manage those risks in addition to information security and privacy risks.
Closely related to, and a part of security and privacy risks, supply chain risk8 is also of growing concern to organizations. Because of the increased reliance on third-party or external providers and commercial-off-the-shelf products, systems, and services, attacks or disruptions in the supply chain which impact an organization’s systems are increasing. Such attacks can be difficult to trace or manage and can result in serious, severe, or catastrophic consequences for an organization’s systems. Supply chain risk management (SCRM) overlaps and works in harmony with security and privacy risk management. This publication integrates security and privacy risk management practices associated with SCRM into the RMF to help promote a comprehensive approach to managing security and privacy risk. While the publication is principally focused on managing information security and privacy risk, SCRM concepts that support security and privacy risk management are specifically called out in several areas to add emphasis and to clarify how they can be addressed using the RMF.
NIST in its partnership with the Department of Defense, the Office of the Director of National Intelligence, and the Committee on National Security Systems, developed a Risk Management Framework (RMF) to improve information security, strengthen risk management processes, and encourage reciprocity9 among organizations. In July 2016, the Office of Management and Budget (OMB) revised Circular A-130 to include responsibilities for privacy programs under the RMF.
The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC);10 by maintaining situational awareness of the security and privacy posture of those systems on an ongoing basis through continuous monitoring processes; and by providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use and operation of their systems. The RMF:
- Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk;
- Emphasizes organization-wide preparation necessary to manage security and privacy risks;
- Facilitates the categorization of information and systems, the selection, implementation, assessment, and monitoring of controls, and the authorization of information systems and common controls;11
- Promotes the use of automation for near real-time risk management and ongoing system and control authorization through the implementation of continuous monitoring processes;
- Encourages the use of correct and timely metrics to provide senior leaders and managers with the necessary information to make cost-effective, risk-based decisions for information systems supporting their missions and business functions;
- Facilitates the integration of security and privacy requirements12 and controls into enterprise architecture,13 SDLC, acquisition processes, and systems engineering processes;
- Connects risk management processes at the organization and mission/business process levels to risk management processes at the information system level through a senior accountable official for risk management and risk executive (function);14 and
- Establishes responsibility and accountability for controls implemented within information systems and inherited by those systems.
The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities. The framework is policy and technology neutral, which facilitates ongoing upgrades to IT resources15 and to IT modernization efforts—to support and help ensure essential missions and services are provided during such transition periods.
8 SCRM requirements are promulgated in [OMB A-130], [DODI 5200.44], and for national security systems in [CNSSD 505]. SCRM requirements have also been addressed by the Federal SCRM Policy Coordinating Committee.
9 Reciprocity is an agreement between organizations to accept one another’s security assessment results in order to reuse system resources or to accept each other’s assessed security posture in order to share information.
10 [SP 800-64] and [SP 800-160 v1] provide guidance on security considerations in the SDLC.
11 Chapter 3 describes the seven steps and associated tasks in the RMF.
12 Section 2.6 describes the relationship between requirements and controls with respect to RMF execution.
13 [OMB FEA] provides guidance on the Federal Enterprise Architecture.
14 [OMB M-17-25] provides guidance on risk management roles and responsibilities.
15 IT resources refer to the information technology component of information resources defined in [OMB A-130].
1.2 PURPOSE AND APPLICABILITY
This publication describes the RMF and provides guidelines for managing security and privacy risks and applying the RMF to information systems and organizations. The guidelines have been developed:
- To ensure that managing system-related security and privacy risk is consistent with the mission and business objectives of the organization and risk management strategy established by the senior leadership through the risk executive (function);
- To achieve privacy protections for individuals and security protections for information and information systems through the implementation of appropriate risk response strategies;
- To support consistent, informed, and ongoing authorization decisions,16 reciprocity, and the transparency and traceability of security and privacy information;
- To facilitate the integration of security and privacy requirements and controls into the enterprise architecture, SDLC processes, acquisition processes, and systems engineering processes;17 and
- To facilitate the implementation of the Framework for Improving Critical Infrastructure Cybersecurity [NIST CSF] within federal agencies.18
This publication is intended to help organizations19 manage security and privacy risk and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 [FISMA], the Privacy Act of 1974 [PRIVACT], OMB policies, and designated Federal Information Processing Standards, among other laws, regulations, and policies.
The scope of this publication pertains to federal information systems, which are discrete sets of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether such information is in digital or non-digital form. Information resources include information and related resources, such as personnel, equipment, funds, and information technology. The guidelines have been developed from a technical perspective to complement guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials with policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to use these guidelines, as appropriate.
16 [SP 800-137] provides guidance on information security continuous monitoring supporting ongoing authorization. Future publications will address privacy continuous monitoring.
17 [SP 800-160 v1] provides guidance on systems security engineering and building trustworthy, secure systems.
18 [EO 13800] directs federal agencies to use the [NIST CSF] to manage cybersecurity risk.
19 The term organization is used in this publication to describe an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements).
1.3 TARGET AUDIENCE
This publication serves individuals associated with the design, development, implementation, assessment, operation, maintenance, and disposition of information systems including:
- Individuals with mission or business ownership responsibilities or fiduciary responsibilities (e.g., and heads of federal agencies);
- Individuals with information system, information security, or privacy management, oversight, or governance responsibilities (e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior agency information security officers, and senior agency officials for privacy);
- Individuals responsible for conducting security or privacy assessments and for monitoring information systems, for example, control assessors, auditors, and system owners; • Individuals with security or privacy implementation and operational responsibilities, for example, system owners, common control providers, information owners/stewards, mission or business owners, security or privacy architects, and systems security or privacy engineers;
- Individuals with information system development and acquisition responsibilities (e.g., program managers, procurement officials, component product and system developers, systems integrators, and enterprise architects); and
- Individuals with logistical or disposition-related responsibilities (e.g., program managers, procurement officials, system integrators, and property managers).
For a comprehensive list and description of roles and responsibilities associated with the RMF, see Appendix D.
1.4 ORGANIZATION OF THIS PUBLICATION
The remainder of this special publication is organized as follows:
- Chapter Two describes the concepts associated with managing information system-related security and privacy risk. This includes an organization-wide view of risk management; the RMF steps and task structure; the relationship between information security and privacy programs and how these programs are addressed in the RMF; information resources as system and system elements; authorization boundaries; security and privacy posture; and security and privacy considerations related to supply chain risk management.
- Chapter Three describes the tasks required to implement the steps in the RMF including: organization-level and information system-level preparation; categorization of information and information systems; control selection, tailoring, and implementation; assessment of control effectiveness; information system and common control authorization; the ongoing monitoring of controls; and maintaining awareness of the security and privacy posture of information systems and the organization.
- Supporting Appendices provide additional information and guidance for the application of the RMF including:
- Glossary of Terms;
- Roles and Responsibilities;
- Summary of RMF Tasks;
- System and Common Control Authorizations;
- Authorization Boundary Considerations; and
- System Life Cycle Considerations.