Simplifying Your Risk Management Framework
Information Assurance requirements outlined in 800-53, 8500.2, and AR 25-2 require agencies and military installations to implement a broad set of people, process, and technology to help protect government networks. Historically, the technology requirements meant the implementation of several point tools to meet the various requirements. SecureVue collects a broad array of data elements and as a result, can meet several of the IA requirements without the need to acquire multiple tools. SecureVue can meet requirements related to compliance management, configuration auditing, and audit log management within a single tool.
What is the Risk Management Framework (RMF)?
Details regarding RMF are spelled out in the NIST Special Publication 800-37 resource, “Guide for Applying the Risk Management Framework to Federal Information Systems.” The Risk Management Framework is exactly that, a framework around which federal agencies can build their cyber security programs. It is not about implementing a set of predefined controls. It’s about implementing the RIGHT controls based upon the “mission and business objectives of the organization…The results of the security categorization process influence the selection of appropriate security controls for the information system and also, where applicable, the minimum assurance requirements for that system.”
In other words, the controls selected are based upon the level of importance on the systems in question. Once the controls are selected and implemented, the next step is to assess the system to ensure it meets the cyber security controls selected in previous steps. Any weaknesses or gaps are documented and final authorization to allow the system to operate will be provided so long as the risks posed by gaps are deemed “acceptable.” A key part of RMF is the last step that describes monitoring the security controls. In this step, organizations must:
- Continuously monitor changes to the systems
- Analyze the “security impacts of identified changes”
- Conduct “ongoing assessments of security controls in accordance with the monitoring strategy”
- Remediate weaknesses on an ongoing basis
- Implement a process to report the security status to the authorizing official
- Update its critical risk management document routinely
- Conduct ongoing security authorizations