Assess and Manage Risk with the NIST Cybersecurity Framework

Defining the system

• Prescribing the system security boundary
• Pinpointing system interconnections
• Incorporating characteristics of Industrial Control Systems (ICS) and FedRAMP-compliant cloud-based systems

Identifying security risk components

• Estimating the impact of compromises to confidentiality, integrity and availability
• Adopting the appropriate model for categorizing system risk
• Specialized considerations for U.S. Government classified information

Setting the stage for successful risk management

• Documenting critical risk assessment and management decisions in the System Security Plan (SSP)
• Appointing qualified individuals to risk governance roles

Assigning a security control baseline

• Investigating security control families
• Determining the baseline from system security impact
• Specialized considerations for National Security Systems (NSS)

Tailoring the baseline to fit the system

• Examining the structure of security controls, enhancements and parameters
• Binding control overlays to the selected baseline
• Gauging the need for enhanced assurance
• Distinguishing system-specific, compensating and non-applicable controls

Specifying the implementation approach

• Maximizing security effectiveness by "building in" security
• Reducing residual risk in legacy systems via "bolt-on" security elements

Applying NIST controls

• Enhancing system robustness through selection of evaluated and validated components
• Coordinating implementation approaches to administrative, operational and technical controls
• Providing evidence of compliance through supporting artifacts
• Implementing CNSSI-1253 for national security systems

Developing an assessment plan

• Prioritizing depth of control assessment
• Optimizing validation through sequencing and consolidation
• Verifying compliance through tests, interviews and examinations

Formulating an authorization recommendation

• Evaluating overall system security risk
• Mitigating residual risks
• Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation

Aligning authority and responsibility

• Quantifying organizational risk tolerance
• Elevating authorization decisions in high-risk scenarios

Forming a risk-based decision

• Appraising system operational impact
• Weighing residual risk against operational utility
• Issuing Authority to Operate (ATO)

• Justifying continuous reauthorization
• Preserving an acceptable security posture