As a follow-on to a previous posting titled "Federal Agencies Lack Proper Security-Related Risk Management Practices" (http://blog.isc2.org/isc2_blog/2010/02/federal-agencies-lack-proper-securityrelated-risk-management-practices.html), I am dedicating the next few posting referred to as "Demystify the Risk Management Framework" to clarify the RMF and the role Risk Management plays within the System Development Lifecycle (SDLC).
In parallel, I have organized a series of presentations that will provide a more detailed examination of the Risk Management Framework (RMF) collectively drawn from multiple NIST publications with the intent of providing an end-to-end discussion of the RMF and how it can be used to manage organizational risk.
Several publications are at the core of the RMF (either still in draft form, requiring updates, already published or recently updated). Refer to the publication schedule for additional information - http://csrc.nist.gov/groups/SMA/fisma/documents/milestone-schedule-v44.pdf
- FIPS 199 (February 2004)
- FIPS 200 (March 2006)
- NIST 800-60, Rev. 1 (August 2008)
- NIST SP 800-37, Rev. 1 (February 2010)
- NIST SP 800-30 (July 2002)
- NIST SP 800-53, Rev. 3 (August 2009)
- NIST SP 800-18, Rev. 1 (February 2006)
- NIST SP 800-39 (2nd Draft - last publication April 2008 with the next publication anticipated November 2010)
- NIST SP 800-XX (anticipated March 2011)
- NIST SP 800-YY (anticipated May 2011)
- NIST SP 800-30, Rev. 1 (anticipated December 2010)
- NIST SP 800-53A, Rev. 1 (anticipated June 2010)
- NIST SP 800-18, Rev. 2 (anticipated February 2011)
Beyond these publications, NIST is continuously working to add "best practice" and "topic specific" references/reports to their library of documentation (http://csrc.nist.gov/publications/index.html).
However as a point of interest, I feel that the demand for real-time guidance and extended outreach to the private/public sector through training forums is a critical "missing link" for the Federal Government to satisfy their role of securing federal information systems and for ensuring the federal/contractor workforce is effective. Additionally, NIST should be given more resource authority and focus to ensure the documentation they publish is easily accessible and easy to use. Therefore a key function is to make more useful mechanisms to deliver and interpret the guidance/reports for senior leadership, management, and practitioners (federal or contractor) that use the guidance to perform the RMF function. In many Federal Agencies, Risk Management is handled at the Information System Level (Level-3 of the Risk Management Hierarchy). Since NIST SP 800-39 has not been published as Final, the gap of translating risks to the Enterprise-Level or Organizational Governance-Level will lack a consensus approach for cross-government adoption. Although some Federal Agencies have an in-house Risk Management capability (i.e., recent examples include the GCN article titled “Consensus is growing for the reform of flawed FISMA” which briefly noted the Risk Management used by the Department of State), many do not have the skillset or apply appropriate resource to effectively operate a Risk Executive (Function).
In the series to follow, specific attention will be given to a multitude of topics regarding the Risk Management Framework, how the framework is designed and should be applied to federal information system to better achieve many of the goals included in legislation "stalling" in the Senate or House, and discussed heavily in Conferences, News Articles, Blogs, etc to reduce the focus on compliance, and instead develop capabilities for risk management and continuous monitoring to achieve an effective security- and risk-posture.
The first presentation focuses on provided an overview of the first 3 Steps within the RMF.