800-137 - Risk Management Framework for Information Systems

The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.

Identify and assign individuals to specific roles associated with security and privacy risk management.

Organizations ensure that there are no conflicts of interest when assigning the same individual to multiple risk management roles. For example, authorizing officials cannot occupy the role of system owner or common control provider for systems or common controls they are authorizing.

Establish a risk management strategy for the organization that includes a determination of risk tolerance.

The risk management strategy makes explicit the threats, assumptions, constraints, priorities, trade-offs and risk tolerance used for making investment and operational decisions.

Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis.

The organization considers the totality of risk from the operation and use of its information systems, from information exchange and connections with other internally and externally owned systems, and from the use of external providers.

Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles.

Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.

Prioritize organizational systems with the same impact level.

The application of the high-water mark concept results in systems designated as low impact, moderate impact, or high impact. Organizations desiring granularity in their impact designations for risk-based decision making can use this task to prioritize their systems within each impact level.

Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.

The continuous monitoring strategy identifies the minimum monitoring frequency for implemented controls across the organization; defines the ongoing control assessment approach; and describes how ongoing assessments are to be conducted (e.g., addressing the use and management of automated tools, and instructions for ongoing assessment of controls for which cannot be automated).

Identify the missions, business functions, and mission/business processes that the system is intended to support.

Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system.

Identify assets that require protection.

Assets are tangible and intangible items that are of value to achievement of mission or business objectives. Tangible assets are physical in nature and include physical/environmental elements (e.g., non-digital information, structures, facilities), human elements, and technology/machine elements (e.g., hardware elements, mechanisms, and networks). In contrast, intangible assets are not physical in nature and include mission and business processes, functions, digital information and data, firmware, software, and services.

Determine the authorization boundary of the system.

Authorization boundaries establish the scope of protection for information systems (i.e., what the organization agrees to protect under its management control or within the scope of its responsibilities).

Authorization boundaries are determined by authorizing officials with input from the system owner based on mission, management, or budgetary responsibility. A clear delineation of authorization boundaries is important for accountability and for security categorization, especially in situations where lower-impact systems are connected to higher-impact systems, or when external providers are responsible for the operation or maintenance of a system.

To conduct effective risk assessments and select appropriate controls, privacy and security programs provide a clear and consistent understanding of what constitutes the authorization boundary. Understanding the authorization boundary and what will occur beyond it may influence controls selected and how they are implemented.

Identify the types of information to be processed, stored, and transmitted by the system.

Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system.

The information life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion.

Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis.

Assessment of security risk includes identification of threat sources and threat events affecting assets, whether and how the assets are vulnerable to the threats, the likelihood that an asset vulnerability will be exploited by a threat, and the impact (or consequence) of loss of the assets. As a key part of the risk assessment, assets are prioritized based on the adverse impact or consequence of asset loss.

Define the security and privacy requirements for the system and the environment of operation.

Determine the placement of the system within the enterprise architecture.

Allocate security and privacy requirements to the system and to the environment of operation.

Register the system with program or management offices.

Document the characteristics of the system.

The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.

Categorize the system and document the security categorization results.

Review and approve the security categorization results and decision.

Select the controls for the system and the environment of operation.

The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.

There are two approaches that can be used for the initial selection of controls: a baseline control selection approach, or an organization-generated control selection approach. The baseline control selection approach uses control baselines, which are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Control baselines serve as a starting point for the protection of individuals' privacy, information, and information systems.

Tailor the controls selected for the system and the environment of operation.

After selecting the applicable control baselines, organizations tailor the controls based on various factors (e.g., missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance).

Organizations use risk assessments to inform and guide the tailoring process. Threat information from security risk assessments provides information on adversary capabilities, intent, and targeting that may affect organizational decisions regarding the selection of security controls, including the associated costs and benefits.

Allocate security and privacy controls to the system and to the environment of operation.

Document the controls for the system and environment of operation in security and privacy plans.

The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. The description includes planned inputs, expected behavior, and expected outputs where appropriate.

Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy. .

Review and approve the security and privacy plans for the system and the environment of operation.

The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation.

Implement the controls in the security and privacy plans.

Organizations use best practices when implementing controls, including systems security and privacy engineering methodologies, concepts, and principles.

Organizations also ensure that mandatory configuration settings are established and implemented on system elements in accordance with federal and organizational policies.

For common controls that do not meet the requirements for the system inheriting the controls or when common controls have unacceptable deficiencies, the system owners identify compensating or supplementary controls to be implemented.

Document changes to planned control implementations based on the “as-implemented” state of controls.

Despite the control implementation details in the security and privacy plans and the system design documents, it is not always feasible to implement controls as planned. Therefore, as control implementations are carried out, the security and privacy plans are updated with asimplemented control implementation details.

Documenting the “as implemented” control information is essential to providing the capability to determine when there are changes to the controls, whether those changes are authorized, and the impact of the changes the security and privacy posture of the system and the organization.

The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

Select the appropriate assessor or assessment team for the type of control assessment to be conducted.

Develop, review, and approve plans to assess implemented controls.

Security and privacy assessment plans are developed by control assessors based on the implementation information contained in security and privacy plans, program management control documentation, and common control documentation.

Assess the controls in accordance with the assessment procedures described in assessment plans.

Control assessments determine the extent to which the selected controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security and privacy requirements for the system and the organization.

Common controls (i.e., controls that are inherited by the system) are assessed separately (by assessors chosen by common control providers or the organization) and need not be assessed as part of a system-level assessment.

Organizations ensure that assessors have access to the information system and environment of operation where the controls are implemented and to the documentation, records, artifacts, test results, and other materials needed to assess the controls.

Prepare the assessment reports documenting the findings and recommendations from the control assessments.

The results of the security and privacy control assessments, including recommendations for correcting deficiencies in the implemented controls, are documented in the assessment reports by control assessors.

Conduct initial remediation actions on the controls and reassess remediated controls.

The security and privacy assessment reports describe deficiencies in the controls that could not be resolved during the development of the system or that are discovered postdevelopment. Such control deficiencies may result in security and privacy risks (including supply chain risks). The findings generated during control assessments, provide information that facilitates risk responses based on organizational risk tolerance and priorities.

Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports.

The plan of action and milestones describes the actions that are planned to correct deficiencies in the controls identified during the assessment of the controls and during continuous monitoring.

The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.

Assemble the authorization package and submit the package to the authorizing official for an authorization decision.

Authorization packages include security and privacy plans, security and privacy assessment reports, plans of action and milestones, and an executive summary. Additional information can be included in the authorization package at the request of the authorizing official.

Analyze and determine the risk from the operation or use of the system or the provision of common controls.

Identify and implement a preferred course of action in response to the risk determined.

After risk is analyzed and determined, organizations can respond to risk in a variety of ways, including acceptance of risk and mitigation of risk.

Because the authorizing official is the only person who can accept risk, the authorizing official is responsible for reviewing the assessment reports and plans of action and milestones and determining whether the identified risks need to be mitigated prior to authorization.

Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable.

Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk.

The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the in support of risk management decisions.

Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system.

Common activities within organizations can cause changes to systems or the environments of operation and can have a significant impact on the security and privacy posture of systems. Examples include installing or disposing of hardware, making changes to configurations, and installing patches outside of the established configuration change control process. Unauthorized changes may occur because of purposeful attacks by adversaries or inadvertent errors by authorized personnel.

Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy.

Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones.

Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process.

To achieve near real-time risk management, the organization updates security and privacy plans, security and privacy assessment reports, and plans of action and milestones on an ongoing basis. Updates to the plans reflect modifications to controls based on risk mitigation activities carried out by system owners or common control providers.

Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.

At a minimum, security and privacy posture reports summarize changes to the security and privacy plans, security and privacy assessment reports, and plans of action and milestones that have occurred since the last report.

Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable.

The authorizing official determines whether the current risk is acceptable and provides appropriate direction to the system owner or common control provider. The authorizing official may determine that the risk remains at an acceptable level for continued operation or that the risk is no longer at an acceptable level for continued operation, and may issue a denial of authorization to operate, authorization to use, or common control authorization.

Implement a system disposal strategy and execute required actions when a system is removed from operation.

When a system is removed from operation, several risk management actions are required. Organizations ensure that controls addressing system disposal are implemented. Examples include media sanitization; configuration management and control; component authenticity; and record retention. Organizational tracking and management systems (including inventory systems) are updated to indicate the system that is being removed from service.