January 22, 2020
A Brief Guide to Implementing the NIST Security Framework
These steps can help federal agencies meet the requirements of NIST’s Risk Management Framework.
RMF is a framework by which information system development and deployments are structured. It sets out a formal process for agencies to determine the risk facing their systems, to design and implement appropriate controls and to operate those controls in an effective manner.
Agency technology leaders bear responsibility for ensuring that their cybersecurity programs operate in compliance with the RMF. For organizations with little experience, this effort can be overwhelming , but taking a methodical approach to RMF implementation will yield significant benefits. Let’s take a look at three steps agency leaders can take to begin a robust cybersecurity program.
Step 1: Understand Your Information Systems
Agencies operate complex technology environments consisting of many different components, housed in both on-premises data centers and offsite managed clouds. As an agency embarks on an RMF journey, it’s crucial that its IT leaders understand all of the networking, computing, storage and security components that make up their computing environment.
This understanding begins by building a comprehensive inventory of components, but it doesn’t end there. Agencies must also understand the configuration of those devices and how they interact within the context of the agency’s mission operations.
Step 2: Categorize Your Risk
Agencies are responsible for categorizing their information systems according to their relative level of risk. This categorization takes place using the three standard pillars of cybersecurity:
- Confidentiality risk arises if sensitive information is viewed by unauthorized individuals.
- Integrity risk arises if unauthorized changes are made to agency information.
- Availability risk arises if authorized personnel are unable to access information in a legitimate manner.
Together, these pillars make up a triad of significant cybersecurity threats within an agency environment. Agency technology leaders are responsible for working with information security officials to evaluate information systems as having high, medium or low risk in each of these categories. The risk ratings go on to determine the level of security controls required to safeguard systems from these cybersecurity threats.
Step 3: Identify Regulatory Bodies
With information about systems and risk in hand, agency technology leaders should next identify the regulatory frameworks that apply to their information systems. For most agencies, this means complying with NIST cybersecurity controls as a starting point, but many individual agencies have their own control standards that provide complementary guidance on security requirements. For example, the Department of Defense publishes Security Technical Implementation Guides (STIGs) that define specific security requirements for firewalls, routers, switches and many other security components.
At the conclusion of these three assessments, agency leaders are armed with the information they need to begin implementation of a robust cybersecurity program. CDW•G offers its Security Management Infrastructure solution to assist agencies in achieving their cybersecurity objectives and meeting their compliance obligations. SMI capabilities address the risk posed by insider threats, achieve data protection objectives and document compliance with regulatory obligations.