NIST CSF: Risk Management Framework


In February 2014, the National Institute of Standards and Technology (NIST) published its “Framework for Improving Critical Infrastructure Cybersecurity,” which offers a holistic way for organizations to better understand their cybersecurity risk and how to manage it.

The NIST Cybersecurity Framework (CSF) was the result of collaboration between the public sector, private sector and academia, and its methodology is meant to complement other cybersecurity best practices, standards and industry guidance regardless of the organization’s mission. At its core, the CSF implements President Barack Obama’s February 2013 “Improving Critical Infrastructure Cybersecurity” Executive Order, signed following years of rising threats to U.S. banking, telecommunications, utilities and other businesses.

AppSec/API Security 2022

Although organizations are not required to implement the CSF, one of its components, the Risk Management Framework, helps to present them with a clearer picture of their cyber risk profile and a road map to mitigate the potential impacts if these risks are realized. Furthermore, a well-implemented Risk Management Framework (RMF) can help to provide avenues to escalate risks and issues to the leadership level so their potential operational, financial, legal and technical impacts can be more broadly understood. 

The purpose of this article is to provide a high-level introduction to the various components of the NIST Risk Management Framework, key concepts, its scope and key processes, so that your organization can better understand the value that it can play in bolstering your cybersecurity posture.

The Risk Management Framework tiers

Before an organization begins their first journey through the Risk Management Framework (RMF), NIST first seeks to help them organize the different levels of accountability and ownership throughout the process. 

Because managing information security, information systems and risk is complex, expensive and a time-intensive process, decisions should involve each facet of the organization. This should include management providing strategic direction (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: