In the same way businesses have security measures for their physical locations, every business needs to shore up its cyberdefenses. With cybercrime on the rise, and hackers often outpacing even the strongest and smartest cybersecurity systems, it’s extremely important to keep all architecture and practices up to date. To that end, the NIST risk assessment framework is one of the best ways to understand exactly what risks are posed to your business, as well as how to mitigate and manage them.
That’s why you need to be thinking seriously about assessment.
Basics of the NIST Risk Assessment Framework
The National Institute of Standards and Technology, also known as NIST, is an agency within the broader United States Department of Commerce. It’s responsible for establishing many requirements and precedents for the operation of technology, including rules and regulations regarding the assessment and management of risk.
Over the course of the following sections, we’ll cover the following NIST frameworks and protocols in detail:
But first, let’s get into why any of this even matters.
Why is NIST Risk Assessment Important?
It’s important because risk assessment is an essential part of your institution’s overall cybersecurity practices. Plus, it may be a requirement for your business.
Businesses in the private sector may or may not need to follow the controls in the NIST Cybersecurity Framework (CSF). But all companies in business with the Department of Defense (DoD) need to follow NIST Risk Management Framework (RMF) principles, including risk assessment, due to the Federal Information Security Modernization Act (FISMA).
Let’s go over what the risk assessment protocols are, then dive deeper into the overall requirements of both the RMF and the CSF.
NIST Risk Assessment 101
The NIST risk assessment methodology is a relatively straightforward set of procedures laid out in NIST Special Publication 800-30: Guide for conducting Risk Assessments. In this guide, NIST breaks the process down into four simple steps:
- Prepare assessment
- Conduct assessment
- Share assessment findings
- Maintain assessment
Let’s take a closer look at each, beginning with the preparation step:
Preparing the Assessment
This first step is key to the overall success of your risk assessment—and therefore your entire risk management. Preparation is heavily influenced and shaped by the framing stage of your risk management, which the RMF 101 section below covers in more detail.
In order to prepare for a full-fledged risk assessment, you need to:
- Identify purpose for the assessment.
- Identify scope of the assessment.
- Identify assumptions and constraints to use.
- Identify sources of information (inputs).
- Identify risk model and analytic approach to use.
Across these various identification processes, you’ll set yourself up for a successful implementation by knowing exactly what you’re studying, why, and how.
Conducting the Assessment
This step is the main focus of the entire risk assessment process; it entails putting your plan into action. The assessment comprises two main sub-processes.
The first is further identification, and the second involves analysis of data uncovered:
- Identification – You need to define what particular threats exist, what their sources are, and what potential events could occur as a result of vulnerabilities being exploited.
- Determination – Once you have identified the threats, you need to determine all possible negative impacts they could have on all parties involved, as well as the relative likelihood of each possible scenario.
Once all this data is compiled, it’s time to put it to use.
Sharing Assessment Findings
The next step entails gathering the information generated from the assessment and communicating it to all parties who could be impacted by the risks and scenarios plotted.
This stage is more straightforward than the previous two. It’s virtually the same for all organizations that undertake it, with the caveat that major differences in scope and scale of both the company and the risk assessment are reflected in how this stage functions.
The final part of NIST risk assessment methodology entails setting yourself up for continued, ongoing assessment over the long term. This stage comprises a combination of detailed monitoring of all previously identified risk factors, as well as scanning for new ones.
In addition, you also need to constantly update your communication and other risk management practices based on new findings. It’s important that assessment is not an isolated one-time occurrence. Rather, it needs to be an element of your company’s overall culture.
NIST Risk Management Framework 101
NIST Special Publication 800-37, titled “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,” is the document that details the specific procedures required for risk management.
As the name makes explicit, the RMF is comprehensive and long term, spanning the “life cycle” of a company. The seven steps detailed throughout the guide are:
Now, let’s take a close look at each in order to better understand how they relate to risk assessment and overall management:
Step 1: Prepare
Just like the microcosm of NIST cybersecurity assessment framework, the broader macro level of RMF begins with a solid foundation of preparation. However, unlike the equivalent of this stage in the above scheme, preparing for RMF is a much less particular and granular process.
Rather than a specific set of items that need to be identified for study, preparation for company-wide risk management involves gathering all data possible that could pertain to risk. That includes information about all stakeholders in the company, as well as detailed breakdowns of the company’s assets and business practices.
This stage is all about compiling as much information as possible.
Step 2: Categorize
Once you have the information, it’s time to mobilize it for future analysis and processing by implementing strong indexing and categorization.
NIST publishes several documents to aid in the schematic categories various risk-related information may fall into:
- The “Standards for Security Categorization of Federal Information and Information Systems,” detailed in FIPS PUB 199, break down specific categories based on:
- Overall potential impact on system
- Specific resources and personnel impacted
- Volume 1 and Volume 2 of NIST Special Publication 800-60 detail particular categorization options based upon risks’ and solutions’:
This step, coupled with the first, completes the framing portion of risk management.
Step 3: Select
This step works in conjunction with the next; selection refers to the determination of any and all particular security controls that will be implemented in order to address the risks identified previously. Selection will depend upon the cybersecurity architecture deployed by the company, as well as any relevant compliance requirements.
Step 3 is also informed by Steps 1 and 2 in that the particular practices and measures selected pertain to the categorization of risks identified.
Step 4: Implement
Implementation comprises actually putting into place any and all controls and practices selected in the previous step. This can be an arduous process, and is by far the most involved and high-stakes portion of the entire RMF.
Some examples of what implementation may look like include:
- Adoption of pre-shared key identity authentication, per SP 800-77, “Guide to IPsec VPNs,” for companies migrating to or otherwise dealing with VPN issues.
- Corrections to bring inventory and other practices up to date according to the requirements detailed in SP 1800-23A, “Energy Sector Asset Management.”
The particular controls put in place will vary widely, depending on the specific risks being dealt with, as well as the needs and means of the organization.
Step 5: Assess
This step involves assessing the efficacy of all practices and measures implemented in the previous step. In particular, assessment seeks to identify success and failure rates (as well as outcomes and side effects) of the implementation step.
While it shares a name with the risk assessment procedure detailed above, it’s unrelated. This form of assessment does suss out whether risks are present, but that’s not the primary focus. Instead, you’re looking to see if your risk management practices worked.
The ultimate aim of assessment, as part of the RMF? Getting back to normal.
Step 6: Authorize
This is the stage where that stamp of normalcy is set—or isn’t. Authorization involves deciding whether or not some portion of your overall systems impacted by risk (or all systems) are fit to return to business as normal. A few of the most likely outcomes include:
- Full authorization to operate, subject to monitoring (see below)
- Indefinite or definite suspension of authorization to operate
- Full removal of authorization, pending radical recovery
This is ultimately the final payoff of all preceding steps – where you finally know whether your risks have been addressed well enough to return to normal.
But that doesn’t mean you’re done yet…
Step 7: Monitor
Finally, the last step in RMF involves an extension of the assessment process (step 5) over a longer period of time. Namely, in order to ensure proper authorization into the future, you need to monitor any impacted systems at regular intervals (once every 3 years, etc.) to ensure that no new threats have developed, nor have any previously addressed threats resurfaced.
NIST Cybersecurity Framework 101
Aside from the rigid RMF that DoD contractors must follow, NIST also publishes more generalized security guidelines applicable to businesses in any sector. The Cybersecurity Framework is detailed in the publication Framework for Improving Critical Infrastructure Cybersecurity, version 1.1 of which was published in 2018 to update 2014’s initial v.1.
The CSF is a risk-based approach that centers around a deep understanding of the risks themselves. It ultimately breaks down into three major components:
- Framework Core
- Framework Implementation Tiers
- Framework Organizational profiles
As we did for the RMF above, let’s take a closer look at each part of the CSF here:
Component 1: Framework Core
The CSF Framework Core is the main logical underpinning of all cybersecurity architecture based on CSF. It gives shape to the various practices and procedures meant to deliver outcomes—namely, privacy and security.
All in all, the CSF Core is composed of five main functions:
- Identify – Identifying and documenting all resources, assets, risks, etc.
- Protect – Developing safety measures designed to keep critical services operating
- Detect – Recognizing and preparing for response to abnormal events
- Respond – Undertaking immediate practices to mitigate and eliminate risks
- Recover – Planning resilience and pathways to recoup compromised assets
The outcomes each core function aims at depend upon successful implementation of the practices each comprises.
Component 2: Implementation Tiers
The tiers of implementation within the CSF designate the scope of an organization’s particular approach to risk management with respect to how robust and rigorous their practices are. There are four tiers in total, with ascending levels of rigor:
- Tier 1: Partial
- Tier 2: Risk Informed
- Tier 3: Repeatable
- Tier 4: Adaptive
Importantly, while the tiers do reflect the relative strength of an organization’s dedication to risk management, they are not indicators of maturity. A company doesn’t need to move “up” the tier ladder to be more safe. Many companies at Tier 1 operate safely enough for their needs.
Component 3: Organizational Profiles
Profiles, similar to the tiers above, provide descriptions of the state of cybersecurity and risk management at a company. In particular, they are detailed descriptions of various cybersecurity activities. Just as a tier provides a picture of what risk management looks like at a company, a profile provides a smaller-scale picture of what an individual part of the whole system looks like.
Companies may choose to create several profiles for any individual activity. Each profile takes into consideration various factors concerning an activity, including all risks associated and information about the institution’s tier and approach.
Professional Risk Assessment and Cybersecurity Solutions
Here at RSI Security, our mission is to help companies of all shapes and sizes get the cybersecurity protection they need. A key component of that, as we’ve established above, is generating a cyber risk assessment report that breaks down your:
- Network vulnerability
- Web vulnerability
- Dark web presence
RSI provides these premium services free of cost.
Beyond assessment according to the NIST risk assessment framework, RSI Security can also help you build up your cyberdefenses, mitigating or even eliminating certain risks. We’re your first and best option for all cybersecurity. Get in touch to see how safe you can be!