The risk of cybercrime is present for companies of all types and sizes. Hackers and other malicious actors outpace the advancement of cybersecurity technologies, constantly innovating new ways to compromise your resources. When dealing with the federal government, the risks are even more pronounced. That’s why a NIST cybersecurity risk assessment can be the difference between smooth sailing and potentially irreversible damage.
Knowing what risks you face is the first step toward mitigating and managing them.
What is a NIST Cyber Risk Assessment?
It’s a procedure assessing your compliance and safety within parameters set out by the NIST, or the National Institute of Standards and Technology. This subdivision of the US Department of Commerce publishes various guides and regulatory documents addressing everything from building construction to biological research.
For our purposes, they’re the authors of three important guidelines or frameworks that you need to know about with respect to risk assessment:
- NIST Guide to Risk Assessment
- NIST Cybersecurity Framework
- NIST Risk Management Framework
This guide will help you understand all three. But first, let’s cover some basic context:
Do You Need NIST Risk Assessment?
If you’re a government contractor, or you’re in certain kinds of business relationships with the federal government, then the Federal Information Security Modernization Act (FISMA) requires you to conduct a risk assessment based on the Risk Management Framework (RMF).
Businesses in the private sector aren’t beholden to RMF in particular; instead, risk assessment for most non government-related businesses uses the NIST Cybersecurity Framework (CSF).
Let’s go over what the process of risk assessment looks like, regardless of which framework you’re using, before diving deeper into the CSF and RMF, respectively.
Understanding the NIST Risk Assessment Process
Risk assessment is all about understanding what risks you face and preparing a plan to manage and ideally dissipate them. It can be a complex and arduous process, but ultimately it boils down to a handful of simple stages.
The Special Publication 800-30: Guide for conducting Risk Assessments specifies that NIST security risk assessment comprises four main steps:
- Preparing for assessment
- Conducting assessment
- Sharing your findings
- Maintaining assessment
Now, let’s take a deep dive into each step:
Step 1: Prepare for Assessment
As with any complex process, the first step involves careful, detailed planning. Preparation for an NIST assessment comprises a series of identification procedures dedicated to:
- The overall purpose and aim of the assessment.
- The potential scope of the assessment.
- All assumptions and constraints guiding the assessment.
- Each and every input, or source of information.
- The risk model(s) and analytic approach(es) of the assessment.
As such, the preparation stage is informed and made possible by the “framing” portion of the risk management process, which we’ll detail in the RMF section below.
Step 2: Conduct the Assessment
Once your plan is in place, it’s time to carry out the assessment itself.
Based on the scope, models, approaches, and other factors identified in the previous stage, conducting the assessment can look very different for any individual organization. However, certain elements do transcend the process no matter who’s doing it.
For instance, the assessment will always strive to identify sources of threats, as well as the potential events that could be caused by them. In addition, any and all vulnerabilities prone to exploitation must also be identified and categorized.
Then, for each individual threat, you must determine any and all possible impacts it could have on your company, along with the likelihood of each.
Step 3: Share Findings
Compared with the prior two steps, this one is far simpler and more uniform across companies. This stage requires the risk-related information uncovered and processed throughout the assessment to be shared with, or communicated to, any and all stakeholders.
In practice, that means that anyone who would be directly or indirectly impacted by the risks identified, in any of the scenarios, needs to be made aware of the risks.
Step 4: Maintain Assessment
Finally, the last stage of the assessment process involves maintaining it over a longer term. NIST security risk assessment isn’t a procedure that organizations simply execute once and then never return to. Instead, it must be an ongoing process of continuous monitoring and evaluation of new data or new developments in existing data.
Maintaining assessment comprises two key elements:
- Monitoring risk factors that were identified previously, as well as any new ones
- Constantly updating procedures and overall risk management to reflect any changes
Now, let’s take a deeper look at CSF to understand what NIST CSF risk assessment might entail.
Understanding the NIST Cybersecurity Framework
While much of the risk assessment practices are directly related to the RMF, which we’ll detail below, there are also key ways in which it intersects with the CSF. Also, more businesses are impacted by the CSF, since its specifications aren’t limited to only DoD contractors.
NIST publication Framework for Improving Critical Infrastructure Cybersecurity breaks down the entirety of the CSF into three major components:
- CSF Core
- CSF Implementation Tiers
- CSF Organizational Profiles
Let’s take a deeper look into what each of these components entails, especially with respect to assessing and managing risk.
NIST CSF Framework Core
The NIST CSF Core breaks down into five essential functions:
- Identify – Foundational documentation and categorization of data
- Protect – Development of safeguards for all critical services
- Detect – Identification of security events (risks, etc.)
- Respond – Immediate response plan for stopping attacks
- Recover – Longer-term planning for recuperation of lost assets
These functions define the specific sets of actions required to achieve the various ends of the entire CSF. Overall, each is a key logical component of the cybersecurity architecture NIST prescribes, along with the outcomes desired by adopting the CSF (safety and privacy)
Achieving these goals comes down to implementing the core functions.
NIST CSF Implementation Tiers
The CSF breaks down four levels or “tiers” of implementation of the functions and their particular practices. These tiers are not indicators of maturity, but rather intensity or style of risk management:
- Tier 1: Partial
- Tier 2: Risk Informed
- Tier 3: Repeatable
- Tier 4: Adaptive
The particular practices and approach a company takes with respect to risk will depend on its overall appetite for and tolerance of risk. Some companies may take a relatively lax approach, whereas others may seek to eliminate as much risk as possible.
NIST CSF Organizational Profiles
This final element of the CSF involves individual cybersecurity practices. Any given element of a company’s cyberdefense program may have one or more profiles mocked up in order to compare and make decisions about what is or isn’t needed.
Profiles are like a smaller-scale version of the implementation tiers. Rather than providing an objective description of the entire organizational approach to risk management, they instead focus on a much smaller and granular image: the state of any given cybersecurity activity that’s a part of the grander scheme. Also, these are not indicative of maturity.
Understanding the NIST Risk Management Framework
The full title for NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,” spells out exactly what it seeks to achieve. It’s a long-term solution for the entire lifespan of an organization.
To that end, SP 800-37 details seven stages needed for successful risk management:
As we did above for risk management and CSF, let’s take a closer look at each individual component of NIST RMF:
Similar to the procedure for risk assessment details above, the NIST RMF begins with a preparation process.And just as the RMF is significantly broader and robust than the specific process of assessment, the preparation is also larger and less particular.
Instead of focusing on a set of identification processes, this level of preparation entails wider-scale gathering of information—anything and everything that involves risk or the potential for risk, whether directly or indirectly. The sheer volume of data can make this process arduous. It also necessitates the following step, which entails making the data more manageable.
The combination of data collection and careful categorization makes up the important “framing” portion of the overall risk management process. In this stage, you set up a scheme in which all the information collected during preparation is plotted out and made available for the analysis and processing that’s needed to fully understand and address the threats.
The NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories,” is useful here. It consists of two volumes (Vol. I and Vol. II) that detail possible organizational schemes based on confidentiality, integrity, and availability.
In addition, the FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” lays out categories based on potential impact.
This stage entails acting on the more preparatory work taken up in the previous two stages. Based on what risks were identified, and the particular categories they fall into, the selection stage involves identifying the practices that will be put in place to address them.
This stage is the final preparation step for action. In this sense, selection is less a step in itself, than a part of the next stage, where the plans selected will be put into practice.
Here, the particular controls selected are set in action. Depending on the particular controls or protocols selected, this stage may involve drastically different courses of action. For example:
- A company that selected processes based on Zero Trust Architecture would base its countermeasures on decentralization and point of access rather than proximity.
- A more targeted counterattack may involve specific, isolated security patching based on NIST’s Security Guidelines for Storage Infrastructure.
- Likewise, NIST SP 800-204, Security Strategies for Microservices Based Application Systems, would guide processes for a company in this particular sector.
Whatever plan of action is selected, this is the stage where everything done previously manifests into real practices.
Not to be confused with the process of NIST cyber risk assessment detailed above, this stage instead entails assessing the relative success or failure of any and all measures implemented in the previous stage. Assessment at this level seeks to confirm that controls are functioning properly, and producing the intended outcomes without opening up additional vulnerabilities.
Like risk assessment, this is an ongoing process that necessitates continuous, long-term monitoring. That way any late-developing side effects can be accounted for and addressed.
Here, the system is either authorized to operate, or its authorization may be suspended or revoked. It could entail the entire or partial shutdown of one or more pieces of the security system, depending on the particular risk profile and potential for further harm.
In other words, this is the real test.
Based on the results of the assessment, this stage determines whether or not a given piece of an information system, or even the entire system, is fit to operate as normal.
Finally, the monitoring stage shares much with the assessment stage above.
However, rather than assessing the particular success or failure of one or more cybersecurity measures, monitoring refers to a broader analysis of the entire system’s safety and operability. The authorization granted in the previous stage must be checked at regular intervals according to pre-set criteria developed earlier on in the preparation stage and updated throughout.
All in all, NIST RMF and CSF risk assessment and management are extremely important, albeit complicated undertakings. That’s why professional help is your best bet for staying safe.
Risk Assessment and Management, Professionalized
Here at RSI Security, we know how important your business’s safety is—to you, your stakeholders, and potentially many others who could be impacted by a data breach. That’s why we’re dedicated to providing a robust cyber risk assessment report at no cost at all to you.
No matter what kind of cybersecurity questions you have, our experts can answer them.
We’re your first and best option, sporting over decade of experience providing cybersecurity solutions to companies of all sizes, across all industries. Contact RSI Security today for robust NIST cybersecurity risk assessment and any other cybersecurity assistance you need.