The Risk Management Framework (RMF) has six steps that should be implemented consecutively. Step 1, categorize, refers to cybersecurity professionals evaluating systems to provide a low, medium or high impact. Step 2, select, cybersecurity will pinpoint the specific controls needed to provide a solution. Step 3, implement, regards the strategies and methods used to apply the controls from the previous step. Step 4, assess, regards evaluating controls to see if they are working correctly and will bring about a positive outcome. Step 5, authorize, verifying that implemented controls are secure and meeting a company’s objectives. Step 6, monitor, selecting processes that will allow cybersecurity to observe the implemented controls on an ongoing basis.
Controls are technical and non-technical methods of reducing risk for an organization. An enhancement expands the ability of the control by adding new functionality. Controls can operate independently or with a supplemental enhancement depending on what objectives cybersecurity are looking to provide a solution for risk.
According to NIST, controls have three baseline levels: low, medium and high impact. The level is selected during the categorize step, and provides direction on the specific controls needed going forward. For example, if an RMF begins with a low-impact and it is changed to a high-impact many (if not all) of its selected controls will need to be changed in order to reflect the impact it needs on systems.
The Physical & Environmental (PE) Protection controls assert methods of providing security from the perspective of real-world access to company assets. PE controls are directly responsible for the physical and surrounding security for company systems, which often include access to servers and other parts of a system. PE sets the foundation for cybersecurity to build upon as it goes through all six steps.
Auditing and Accountability (AU) controls are technical methods of ensuring that systems will have a process of reviewing, auditing and pinpointing which staff members will be responsible for the actions of certain controls. AU controls give cybersecurity a method of analyzing its progress and identify areas that need improvement.
System & Information Integrity (SI) controls are technical methods used to promote the integrity and security of systems. SI are specific policies that provide cybersecurity with methods of how to maintain a system and prevent it from malicious code and other threat agents.
Awareness & Training (AT) controls gives cybersecurity the information it needs to ensure that staff who have access to systems know their specific role, how to implement the controls they have access and what to do if there is a mistake. All companies need some form of AT control in order to run an enterprise successfully.
Contingency Planning (CP) controls are operational methods that gives governments and organizations the ability to have a specific plan in place should something catastrophic happen like a widespread data breach or a cyberattack. It is recommended that these controls receive frequent updates from cybersecurity professionals.
Identification & Authentication (IA) are technical controls that verify who the user is and validates if they have the proper access to the system. Every strong cybersecurity strategy has components of identifying and authenticating users, otherwise it could make the system available to the wrong staff or even individuals interested in cybercriminal activities.
Security Assessment & Authorization (CA) are controls that give cybersecurity the ability to assess the risk that are connected to other user’s and their authorization. These controls can describe or be updated in regards to the level of risk that is available, and cybersecurity can make adjustments based on the data that the control generates.