Risk Management Framework (RMF): An Overview

risk framework management

The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010.

Today, the RMF is maintained by the National Institute of Standards and Technology (NIST), and provides a solid foundation for any data security strategy.

What is the Risk Management Framework (RMF)?

The elegantly titled “NIST SP 800-37 Rev.1” defines the RMF as a 6-step process to architect and engineer a data security process for new IT systems, and suggests best practices and procedures each federal agency must follow when enabling a new system. In addition to the primary document SP 800-37, the RMF uses supplemental documents SP 800-30, SP 800-53, SP 800-53A, and SP 800-137.

Risk Management Framework (RMF) Steps

We’ve visualized the RMF 6-step process below. Browse through the graphic and take a look at the steps in further detail beneath.

risk management framework steps

Step 1: Categorize Information System 

The Information System Owner assigns a security role to the new IT system based on mission and business objectives. The security role must be consistent with the organization’s risk management strategy.

Step 2: Select Security Controls 

The security controls for the project are selected and approved by leadership from the common controls, and supplemented by hybrid or system-specific controls. Security controls are the hardware, software, and technical processes required to fulfill the minimum assurance requirements as stated in the risk assessment. Additionally, the agency must develop plans for continuous monitoring of the new system during this step.

Step 3: Implement Security Controls 

Simply put, put step 2 into action. By the end of this step, the agency should have documented and proven that they have achieved the minimum assurance requirements and demonstrated the correct use of information system and security engineering methodologies.

Step 4: Assess Security Controls 

An independent assessor reviews and approves the security controls as implemented in step 3. If necessary, the agency will need to address and remediate any weaknesses or deficiencies the assessor finds and then documents the security plan accordingly.

Step 5: Authorize Information System

The agency must present an authorization package for risk assessment and risk determination. The authorizing agent then submits the authorization decision to all necessary parties.

Step 6: Monitor Security Controls

The agency continues to monitor the current security controls and update security controls based on changes to the system or the environment. The agency regularly reports on the security status of the system and remediates any weaknesses as necessary.

How Can Varonis Help You Be Compliant?

NIST regulation and the RMF (in fact, many of the data security standards and compliance regulations) have three areas in common:

  • Identify your sensitive and at risk data and systems (including users, permissions, folders, etc.);
  • Protect that data, manage access, and minimize the risk surface;
  • Monitor and detect what’s happening on that data, who’s accessing it, and identify when there is suspicious behavior or unusual file activity.

The Varonis Data Security Platform enables federal agencies to manage (and automate) many of these practices and regulations required in the RMF.

DatAdvantage and Data Classification Engine identifies sensitive data on core data stores, and maps user, group, and folder permissions so that you can identify where your sensitive data is and who can access it. Knowing who has access to your data is a key component of the risk assessment phase, defined in NIST SP 800-53.

Data security analytics helps meet the NIST SP 800-53 requirement to constantly monitor your data: Varonis analyzes monitored data against dozens of threat models that warn you of ransomware, malware, misconfigurations, insider attacks, and more.

NIST SP 800-137 establishes guidelines to protect your data and requires that the agency meet a least privilege model. DatAdvantage, Automation Engine, and DataPrivilege streamline permissions and access management, and provide a way to more easily get to least privilege and automate permissions cleanup.

While the Risk Management Framework is complex on the surface, ultimately it’s a no-nonsense and logical approach to good data security practices at its core – see how Varonis can help you meet the NIST SP 800-37 RMF guidelines today.

Get the latest security news in your inbox.