There are a number of approaches to managing risk. Managing risk is a complex process and requires the input from the whole organization. There are three tiers associated with the respective portions of the organization:

  • Tier 1 – Organizational Level – At this level, risk is assessed from an organizational perspective with mitigation strategies such as governance and holistic strategies involving risk tolerance, monitoring and oversight.
  • Tier 2 – Mission/Business Process – Risk is assessed from the processes associated with the mission/business and is guided by the decision from Tier 1.
  • Tier 3 – Information System – The risk associated with information systems is evaluated and guided by the decisions from Tiers 1 & 2. The selection of security controls leverages those outlined in NIST SP 800-53.

The risk management process begins early in the System Development Life Cycle (SDLC). A majority of the work of the RMF is done at Tier 3.

Security Controls

There are three type so security controls that can be used within an organization:

  • System-Specific Controls – controls that are focused on a particular system.
  • Common Controls – provide cost effective and efficient protection for multiple systems.
  • Hybrid Controls – include characteristics of both common and system specific controls.

The RMF Process

  • RMF Step 1 – Categorization – Information must be categorized for information systems and how data is processed, transmitted and stored. Additionally, the impact of this data on the organization must be considered.
  • RMF Step 2 – Selection – Based on security categorizations, a baseline of minimum security controls will be selected to protect information systems as appropriate.
  • RMF Step 3 – Implementation – The selected security controls are implemented as identified from the selection process. In addition, security control documentation occurs to illustrate the implementation of system-specific, common, and hybrid controls.
  • RMF Step 4 – Assessment – In order to ensure that the selected security controls are meeting their intended requirements, approved assessment procedures are utilized to confirm they are configured properly, functioning as expected, and are performing to meet the necessary requirements.
  • RMF Step 5 – Authorization – Based on the decision that acceptable risk to the organization, assets, individuals, and other organizations has been achieved, the operation of the information system will be authorized.
  • RMF Step 6 – Monitor – The ongoing monitoring of security controls for the information systems will occur regularly with adjustments made as necessary.