Executive Summary
As we push computers to “the edge,” building a complex world of interconnected information systems and devices, security and privacy risks (including supply chain risks) continue to be a large part of the national conversation and topics of great importance. The significant increase in the complexity of the hardware, software, firmware, and systems within the public and private sectors (including the U.S. critical infrastructure) represents a significant increase in attack surface that can be exploited by adversaries. Moreover, adversaries are using the supply chain as an attack vector and effective means of penetrating our systems, compromising the integrity of system elements, and gaining access to critical assets.
The Defense Science Board Report, Resilient Military Systems and the Advanced Cyber Threat [DSB 2013], provides a sobering assessment of the vulnerabilities in the United States Government, the U.S. critical infrastructure, and the systems supporting the mission-essential operations and assets in the public and private sectors.
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”
There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring that the systems, products, and services are sufficiently trustworthy throughout the system development life cycle (SDLC) and can provide the necessary resilience to support the economic and national security interests of the United States. System modernization, the increased use of automation, and the consolidation, standardization, and optimization of federal systems and networks to strengthen the protection for high value assets [OMB M-19-03], are key objectives for the federal government.
Executive Order (E.O.) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [EO 13800] recognizes the increasing interconnectedness of Federal information systems and requires heads of agencies to ensure appropriate risk management not only for the Federal agency’s enterprise, but also for the Executive Branch as a whole. The E.O. states:
“…The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities…”
“…Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents…”
OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [OMB M-17-25] provides implementation guidance to Federal agencies for E.O. 13800. The memorandum states:
“… An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency’s mission and the delivery of services to the public. Such risks include, but are not limited to, strategic, market, cyber, legal, eputational, political, and a broad range of operational risks such as information security, human capital, business continuity, and related risks…”
“… Effective management of cybersecurity risk requires that agencies align information security management processes with strategic, operational, and budgetary planning processes…”
OMB Circular A-130, Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII). Circular A-130 requires agencies to implement the RMF that is described in this guideline and requires agencies to integrate privacy into the RMF process. In establishing requirements for information security programs and privacy programs, the OMB circular emphasizes the need for both programs to collaborate on shared objectives:
“While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements….”
This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, the Executive Order, and the OMB policy memorandum to develop the next- generation Risk Management Framework (RMF) for information systems, organizations, and individuals.
There are seven major objectives for this update:
- To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes;
- To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;
- To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.
The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. The primary objectives for institutionalizing organization-level and system-level preparation are:
- To facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level;
- To facilitate organization-wide identification of common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection;
- To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services;
- To reduce the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk; and
- To identify, prioritize, and focus resources on the organization’s high value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.
By achieving the above objectives, organizations can simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks. Organizations implementing the RMF will be able to:
- Use the tasks and outputs of the Organization-Level and System-Level Prepare step to promote a consistent starting point within organizations to execute the RMF;
- Maximize the use of common controls at the organization level to promote standardized, consistent, and cost-effective security and privacy capability inheritance;
- Maximize the use of shared or cloud-based systems, services, and applications to reduce the number of authorizations needed across the organization;
- Employ organizationally-tailored control baselines to increase the speed of security and privacy plan development and the consistency of security and privacy plan content;
- Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process;
- Maximize the use of automated tools to manage security categorization; control selection, assessment, and monitoring; and the authorization process;
- Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections;
- Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings;
- Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system components, and services — employing the least functionality principle; and
- Make the transition to ongoing authorization a priority and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs.
Recognizing that the preparation for RMF execution may vary from organization to organization, achieving the above objectives can reduce the overall IT/OT footprint and attack surface of organizations, promote IT modernization objectives, conserve resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
COMMON SECURITY AND PRIVACY RISK FOUNDATIONS
In developing standards and guidelines, NIST consults with federal agencies, state, local, and tribal governments, and private sector organizations; avoids unnecessary and costly duplication of effort; and ensures that its publications are complementary with the standards and guidelines used for the protection of national security systems. In addition to implementing a transparent public review process for its publications, NIST collaborates with the Office of Management and Budget, the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems, and has established a unified risk management framework for the federal government. This common foundation provides the Civil, Defense, and Intelligence Communities of the federal government and their contractors, cost-effective, flexible, and consistent methods and techniques to manage security and privacy risks to organizational operations and assets, individuals, other organizations, and the Nation. The unified framework also provides a strong basis for reciprocal acceptance of assessment results and authorization decisions and facilitates information sharing and collaboration. NIST continues to work with public and private sector entities to establish mappings and relationships between its security and privacy standards and guidelines and those developed by external organizations.
ACCEPTANCE OF SECURITY AND PRIVACY RISK
The Risk Management Framework addresses security and privacy risk from two perspectives— an information system perspective and a common controls perspective. For an information system, authorizing officials issue an authorization to operate or authorization to use for the system, accepting the security and privacy risks to the organization’s operations and assets, individuals, other organizations, and the Nation. For common controls, authorizing officials issue a common control authorization for a specific set of controls that can be inherited by designated organizational systems, accepting the security and privacy risks to the organization’s operations and assets, individuals, other organizations, and the Nation. Authorizing officials also consider the risk of inheriting common controls as part of their system authorizations. The different types of authorizations are described in Appendix F.
THE RMF IS TECHNOLOGY NEUTRAL
The RMF is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system* without modification. While the specific controls selected, control implementation details, and control assessment methods and objects may vary with different types of IT resources, there is no need to adjust the RMF process to accommodate specific technologies.
All information systems process, store, or transmit some type of information. For example, information about the temperature in a remote facility collected and transmitted by a sensor to a monitoring station, location coordinates transmitted by radio to a controller on a weapons system, photographic images transmitted by a remote camera (land/satellite-based) to a server, or health IT devices transmitting patient information via a hospital network, require protection. This information can be protected by: categorizing the information to determine the impact of loss; assessing whether the processing of the information could impact individuals’ privacy; and selecting and implementing controls that are applicable to the IT resources in use. Therefore, cloud-based systems, industrial/process control systems, weapons systems, cyber-physical systems, applications, IoT devices, or mobile devices/systems, do not require a separate risk management process but rather a tailored set of controls and specific implementation details determined by applying the existing RMF process.
The RMF is applied iteratively, as applicable, during the system development life cycle for any type of system development approach (including Agile and DevOps approaches). The security and privacy requirements and controls are implemented, verified, and validated as development progresses throughout the life cycle. This flexibility allows the RMF to support rapid technology cycles, innovation, and the use of current best practices in system and system component development.
*Note: The publication pertains to information systems, which are discrete sets of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether such information is in digital or non-digital form. Information resources include information and related resources, such as personnel, equipment, funds, and information technology. Therefore, information systems may or may not include hardware, firmware, and software.
USE OF AUTOMATION IN THE EXECUTION OF THE RMF
Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF). Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders. Organizations have significant flexibility in deciding when, where, and how to use automation or automated support tools for their security and privacy programs. In some situations, automated assessments and monitoring of controls may not be possible or feasible.
SCOPE AND APPLICABILITY
This publication is intended to help organizations manage security and privacy risk, and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 (FISMA), the Privacy Act of 1974, OMB policies, and Federal Information Processing Standards, among other laws, regulations, and policies. The scope of this publication pertains to federal information systems, which are discrete sets of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether such information is in digital or non-digital form. Information resources include information and related resources, such as personnel, equipment, funds, and information technology.
While mandatory for federal government use, the RMF can be applied to any type of nonfederal organization (e.g., business, industry, academia). As such, State, local, and tribal governments, as well as private sector organizations are encouraged to use these guidelines on a voluntary basis, as appropriate. In addition, nonfederal organizations that have adopted and implemented the Cybersecurity Framework might find value in using the RMF as a risk management process for execution of the Framework—providing the essential tasks for control implementation, assessment, and monitoring, as well as system authorizations (for risk-based decision making).
MANAGING RISK
Using the Cybersecurity Framework
Executive Order (E.O.) 13800 requires federal agencies to modernize their IT infrastructure and systems and recognizes the increasing interconnectedness of federal information systems and networks. The E.O. also requires heads of agencies to manage risk at the agency level and across the Executive Branch using the Framework for Improving Critical Infrastructure Cybersecurity (i.e., Cybersecurity Framework). And finally, the E.O. reinforces the Federal Information Security Modernization Act (FISMA) of 2014 by holding heads of agencies responsible and accountable for managing the cybersecurity risk to their organizations.
The Cybersecurity Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes. Therefore, consistent with OMB Memorandum M-17-25, the federal implementation of the Cybersecurity Framework fully supports the use of and is consistent with the risk management processes and approaches defined in [SP 800-39] and NIST Special Publication 800-37. This allows agencies to meet their concurrent obligations to comply with the requirements of FISMA and E.O. 13800.
Each task in the RMF includes references to specific sections in the Cybersecurity Framework. For example, Task P-2, Risk Management Strategy, aligns with the Cybersecurity Framework Core [Identify Function]; Task P-4, Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles, aligns with the Cybersecurity Framework Profile construct; and Task R-5, Authorization Reporting, and Task M-5, Security and Privacy Reporting, support OMB reporting and risk management requirements organization-wide by using the Cybersecurity Framework constructs of Functions, Categories, and Subcategories. The Subcategory mappings to the [SP 800-53] controls are available at: https://www.nist.gov/cyberframework/federal-resources.
SECURITY AND PRIVACY IN THE RMF
Organizations are encouraged to collaborate on the plans, assessments, and plans of action and milestones (POAM) for security and privacy issues to maximize efficiency and reduce duplication of effort. The objective is to ensure that security and privacy requirements derived from laws, executive orders, directives, regulations, policies, standards, or missions and business functions are adequately addressed, and the appropriate controls are selected, implemented, assessed, and monitored on an ongoing basis. The authorization decision, a key step in the RMF, depends on the development of credible and actionable security and privacy evidence generated for the authorization package. Creating such evidence in a cost-effective and efficient manner is important.
The unified and collaborative approach to bring security and privacy evidence together in a single authorization package will support authorizing officials with critical information from security and privacy professionals to help inform the authorization decision. In the end, it is not about generating additional paperwork, artifacts, or documentation. Rather, it is about ensuring greater visibility into the implementation of security and privacy controls which will promote more informed, risk-based authorization decisions.