Link Search Menu Expand Document
NIST SP 800-12

6 Information Security Risk Management

  1. 6.1 Categorize
  2. 6.2 Select
  3. 6.3 Implement
  4. 6.4 Assess
  5. 6.5 Authorize
  6. 6.6 Monitor

Risk is a measure of the extent an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Individuals manage risks every day, though they may not be aware of it. Actions as routine as buckling a car safety belt, carrying an umbrella when rain is forecasted, or writing down a list of things to do rather than trusting to memory all fall under the purview of risk management. Individuals recognize various threats to their best interests and take precautions to guard against them or to minimize their effects.

Both government and industry routinely manage a myriad of risks. For example, to maximize their return on investments, businesses must often choose between growth investment plans that are aggressive and high-risk or slow and secure. These decisions require analysis of risk relative to potential benefits, consideration of alternatives, and, finally, the implementation of what management determines to be the best course of action.

With respect to information security, risk management is the process of minimizing risks to organizational operations (e.g., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation of a system. NIST SP 800-39 identifies four distinct steps for risk management. Risk management requires organizations to (i) frame risk, (ii) assess risk, (iii) respond to risk, and (iv) monitor risk.

  • (i) Framing Risk – describes how organizations establish a risk context for the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess, respond to, and monitor risk—while making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.

  • (ii) Assessing Risk – describes how organizations analyze risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations operations and assets, individuals, other organizations, and the Nation; (ii) internal and external vulnerabilities of organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur.

  • (iii) Responding to Risk – addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide response to risk in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action.

  • (iv) Monitoring Risk – addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) verify that planned risk response measures are implemented and that information security requirements derived from/traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied; (ii) determine the ongoing effectiveness of risk response measures following implementation; and (iii) identify risk-impacting changes to organizational systems and the environments in which the systems operate.

To help organizations manage information security risk at the system level, NIST developed the Risk Management Framework (RMF). The RMF promotes the concepts of near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes. The RMF also provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle (SDLC). See NIST SP 800-160.

The six steps that comprise the RMF include:

  1. System Categorization;
  2. Security Control Selection;
  3. Security Control Implementation;
  4. Security Control Assessment;
  5. System Authorization; and
  6. Security Control Monitoring

Figure 1 - Risk Management Framework (RMF) Overview

6.1 Categorize

The first step of the RMF focuses on the categorization of the system. Here, organizations categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis. Security categorization guidance for non-national security systems can be found in FIPS 199 and NIST SP 800-60.(7)

(7) The National Archives and Records Administration (NARA) has developed a Controlled Unclassified Information (CUI) Registry. The CUI Registry is an online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. The registry is available at https://www.archives.gov/cui/registry/category-list.

6.2 Select

The second step of the RMF process involves selecting an initial set of baseline security controls for the system based on the security categorization as well as tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. Security control selection guidance is provided in NIST SP 800-53 and in FIPS 200.

6.3 Implement

In the third step, the organization is responsible for implementing security controls and describing how the controls are employed within the system and its environment of operation. Many NIST publications provide information on security control implementations and are available for reference on the Computer Security Resource Center website.

6.4 Assess

The fourth step ensures that the organization assesses the security controls using appropriate assessment procedures and to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A provides guidelines for the development of assessment methods and procedures to determine security control effectiveness in federal systems and for reporting assessment findings in the security assessment report.

6.5 Authorize

In the fifth step, a senior manager officially authorizes a system to operate or continue to operate based on the results of a complete and thorough security control assessment. This decision is based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the system and the decision that this risk is acceptable.

6.6 Monitor

The sixth step of the RMF is to continuously monitor the security controls in the system to ensure that they are effective over time as changes occur in the system and the environment in which the system operates. Organizations monitor the security controls in the system on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. Specific guidance on continuous monitoring can be found in NIST SP 800-137.