Imagine you’ve been tasked with building a pyramid. The particular building materials and tools have been selected, block-carving systems and block-laying operations are being implemented, there’s an assessment process in place to ensure that the pyramid’s blocks are properly aligned, the general contractor is ready to authorize the various batches of work, and the project champion and contractor are monitoring the details of the project.

Suddenly, someone yells, “What about all of the preparatory activities?” Has the project identified key roles and responsibilities? Has the risk tolerance been specified, and a risk strategy selected (e.g., uneven or damaged blocks)? Was there a risk assessment conducted prior to all of this building activity (e.g., shifting sands)? Is there a continuous start-to-finish monitoring process in place?

This example helps us understand just how significant the preparation step of risk management really is.

In December 2018, the National Institute of Standards and Technology (NIST) officially unveiled revision two of its Risk Management Framework (RMF). In the accompanying press release, NIST pointed to changes that make the RMF more useful for organizations that are putting it into practice, specifically to improve communication and governance of cyber risks, to integrate privacy risk into the RMF process, and to “institutionalize” essential risk management activities throughout the organization to improve the value delivered by the risk management process. How did NIST accomplish these improvements? With the addition of a new seventh step: Prepare.

In its justification for the new step, NIST stated that it was needed to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” Let’s explore what the Prepare step entails, who is responsible for it, and what benefits organizations can expect from going through the additional step.

Prepare: A New, Critical Step in the NIST RMF

The Prepare step ensures that high-level and essential umbrella risk management activities are carried out to guide the rest of the steps and derive better value out of the risk management process. In particular, the Risk Management Framework states that the Prepare step improves communication between senior IT/security/privacy leaders and top executives, both at the mission/business (strategic) level and the system owners (operational) level.

NIST further commented that the new step helps reduce complexity by identifying and eliminating risk management activities that don’t effectively impact security and privacy risk. This is accomplished by identifying, prioritizing and focusing on high value assets (HVAs), and by deploying appropriate risk mitigation measures. For NIST, the Prepare step is key to consolidating, optimizing and standardizing risk management controls across both IT and operational technology (OT) infrastructure.

Who should be involved in the Prepare step? In an accompanying document, NIST specified the key responsibilities of the head of agency, the chief information officer (CIO), the risk executive, and both the security and privacy officers. These range from overseeing the entire risk management process to monitoring and reviewing the effectiveness of the process and the controls implemented.

Key Tasks and Outcomes

The value that the Prepare step provides becomes clear once we look at the list of tasks and outcomes that it comprises. We’ll focus on a subset of those key tasks and outcomes to highlight their particular relevance and value.

  • Risk Management Roles (P-1) — This particular task ensures that the organization has properly identified key individuals and specified their roles and responsibilities in the risk management process. This includes reviewing and dealing with potential conflicts of interest (e.g., one person in charge of a process and also auditing/authorizing that same process). This task connects with the NIST Cybersecurity Framework (CSF) governance (ID.GV) activity.
  • Risk Management Strategy (P-2) — At this point, the organization has specified its level of risk tolerance and has determined a particular strategy for the road ahead. This strategy should include the threats, assumptions, constraints, priorities and trade-offs that will be used when making business decisions and when determining which areas to invest in. This task connects with the NIST CSF risk management (ID.RM) and supply chain (ID.SC) activities.
  • Organizational Risk Assessment (P-3) — While the concept of risk assessments was already present in the previous RMF version, it was primarily focused on tactical and operational issues. The addition of an organizational-level risk assessment ensures that top leadership, the CIO, and the security and privacy officers are all on the same page. It also helps the organization with its prioritization efforts by focusing on high-value assets. This task connects with the NIST CSF risk assessment (ID.RA) activity.
  • Continuous Monitoring Strategy (P-7) — This task specifies how ongoing assessments will be performed and with what frequency. The goal is to move the organization closer to “near real-time risk management” to enable rapid and effective response to changes in the risk landscape or changes in the effectiveness of controls. This task connects with the NIST CSF continuous monitoring (DE.CM) element.

Begin Your Risk Management Process With Preparation

While NIST insisted that the steps in its framework do not have to be performed in order, it is clear that going through the Prepare step surfaces key decisions and parameters that are crucial to implementing an effective risk management process. In essence, the addition of the step helps elevate the value of the Risk Management Framework from tactical and operational to organizational and strategic.

For first-time NIST RMF adopters, the Prepare step is a logical, necessary place to start — at the top. For organizations that have already implemented an RMF-based process, be sure to add the Prepare step as part of your next iteration; you’ll get strategic value out of it.

More from Risk Management

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…