NIST Says Preparation Is Key to the Risk Management Framework

July 22, 2019
| |
4 min read

Imagine you’ve been tasked with building a pyramid. The particular building materials and tools have been selected, block-carving systems and block-laying operations are being implemented, there’s an assessment process in place to ensure that the pyramid’s blocks are properly aligned, the general contractor is ready to authorize the various batches of work, and the project champion and contractor are monitoring the details of the project.

Suddenly, someone yells, “What about all of the preparatory activities?” Has the project identified key roles and responsibilities? Has the risk tolerance been specified, and a risk strategy selected (e.g., uneven or damaged blocks)? Was there a risk assessment conducted prior to all of this building activity (e.g., shifting sands)? Is there a continuous start-to-finish monitoring process in place?

This example helps us understand just how significant the preparation step of risk management really is.

In December 2018, the National Institute of Standards and Technology (NIST) officially unveiled revision two of its Risk Management Framework (RMF). In the accompanying press release, NIST pointed to changes that make the RMF more useful for organizations that are putting it into practice, specifically to improve communication and governance of cyber risks, to integrate privacy risk into the RMF process, and to “institutionalize” essential risk management activities throughout the organization to improve the value delivered by the risk management process. How did NIST accomplish these improvements? With the addition of a new seventh step: Prepare.

In its justification for the new step, NIST stated that it was needed to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” Let’s explore what the Prepare step entails, who is responsible for it, and what benefits organizations can expect from going through the additional step.

Prepare: A New, Critical Step in the NIST RMF

The Prepare step ensures that high-level and essential umbrella risk management activities are carried out to guide the rest of the steps and derive better value out of the risk management process. In particular, the Risk Management Framework states that the Prepare step improves communication between senior IT/security/privacy leaders and top executives, both at the mission/business (strategic) level and the system owners (operational) level.

NIST further commented that the new step helps reduce complexity by identifying and eliminating risk management activities that don’t effectively impact security and privacy risk. This is accomplished by identifying, prioritizing and focusing on high value assets (HVAs), and by deploying appropriate risk mitigation measures. For NIST, the Prepare step is key to consolidating, optimizing and standardizing risk management controls across both IT and operational technology (OT) infrastructure.

Who should be involved in the Prepare step? In an accompanying document, NIST specified the key responsibilities of the head of agency, the chief information officer (CIO), the risk executive, and both the security and privacy officers. These range from overseeing the entire risk management process to monitoring and reviewing the effectiveness of the process and the controls implemented.

Key Tasks and Outcomes

The value that the Prepare step provides becomes clear once we look at the list of tasks and outcomes that it comprises. We’ll focus on a subset of those key tasks and outcomes to highlight their particular relevance and value.

  • Risk Management Roles (P-1) — This particular task ensures that the organization has properly identified key individuals and specified their roles and responsibilities in the risk management process. This includes reviewing and dealing with potential conflicts of interest (e.g., one person in charge of a process and also auditing/authorizing that same process). This task connects with the NIST Cybersecurity Framework (CSF) governance (ID.GV) activity.

  • Risk Management Strategy (P-2) — At this point, the organization has specified its level of risk tolerance and has determined a particular strategy for the road ahead. This strategy should include the threats, assumptions, constraints, priorities and trade-offs that will be used when making business decisions and when determining which areas to invest in. This task connects with the NIST CSF risk management (ID.RM) and supply chain (ID.SC) activities.

  • Organizational Risk Assessment (P-3) — While the concept of risk assessments was already present in the previous RMF version, it was primarily focused on tactical and operational issues. The addition of an organizational-level risk assessment ensures that top leadership, the CIO, and the security and privacy officers are all on the same page. It also helps the organization with its prioritization efforts by focusing on high-value assets. This task connects with the NIST CSF risk assessment (ID.RA) activity.

  • Continuous Monitoring Strategy (P-7) — This task specifies how ongoing assessments will be performed and with what frequency. The goal is to move the organization closer to “near real-time risk management” to enable rapid and effective response to changes in the risk landscape or changes in the effectiveness of controls. This task connects with the NIST CSF continuous monitoring (DE.CM) element.

Begin Your Risk Management Process With Preparation

While NIST insisted that the steps in its framework do not have to be performed in order, it is clear that going through the Prepare step surfaces key decisions and parameters that are crucial to implementing an effective risk management process. In essence, the addition of the step helps elevate the value of the Risk Management Framework from tactical and operational to organizational and strategic.

For first-time NIST RMF adopters, the Prepare step is a logical, necessary place to start — at the top. For organizations that have already implemented an RMF-based process, be sure to add the Prepare step as part of your next iteration; you’ll get strategic value out of it.

Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...
read more