RISK MANAGEMENT AND THE RMF Risk ma

RISK MANAGEMENT AND THE RMF
Risk management and the risk management framework seem to be the same thing,
but it is important to understand the distinction between the two. The risk management
process is specifically detailed by NIST in three different volumes. NIST SP
800-30, Guide for Conducting Risk Assessments, provides an overview of how risk
management fits into the system development life cycle (SDLC) and describes how
to conduct risk assessments and how to mitigate risks. NIST SP 800-37 discusses the
risk management framework that is the subject of this book; the guide is discussed in
great detail in coming chapters. Finally, NIST SP 800-39, Managing Information
Security Risk, defines the multi-tiered, organization-wide approach to risk management
that is discussed in this chapter.
The older certification and accreditation (C&A) process had a number of shortcomings,
including looking at risk only from the information systems perspective.
This view focused on evaluating risks as they impacted a specific system, in a vacuum
and does not address how the systems risks will impact larger business unit or
the organization itself. In developing the RMF, members of the Joint Task Force
Transformation Initiative, including members from NIST, determined that the best
approach to risk management is to view risks at not only the system level, but also at
the business unit level and the organizational level. This approach includes determining
how the organizational risk picture may be impacted if a specific system is placed
into the production environment. This evaluation takes place at three levels: the
organizational level, or tier 1; the mission and business process level, or tier 2;
and the system level, or tier 3, as illustrated in Figure 3-1. This holistic, multi-tiered,
organizational view of risk assists senior leaders in determining how to effectively
and efficiently manage risk in the most cost-effective manner across the entire
organization