CSOL-530-Cyber Security Risk Management, Summer 2019


Risk Management Framework(RMF)


I was introduced to the notion of risk management framework during Summer of 2019 by Professor Dorian Pappas, CSOL-530 Cybersecurity Risk Management course. There were no specific book on this since NIST special publications were all that needed.

Businesses across the board, government, and other entities are subject to threats with adverse impacts on the organizational operations: Image, reputation, business functions, mission, and so forth. This reality proves that cyber-attacks today constitute a big threat these organizations cannot afford to ignore. Following this, the US government, under the leadership of the department of commerce, has tasked the National Institute of Standards and Technology, NIST, to develop a security Framework. The idea was to provide a common approach for the management of information system-related security risk applied to diverse environments throughout the system development life cycle. It was in this context that the RMF was born. The work of NIST followed with several documents called the NIST's Special Publications. Examples: the NIST SP 800-37, NIST SP 800-53.

RMF Formal Definition
The Risk Management Frame (RMF) according to Lang (2019) is a “set of processes developed by the National Institute of Standard and Technology (NIST) for the US federal bodies to integrate information security and risk management into their systems development life cycles." But due to its benefits, it has increasingly being adopted by several organizations, public and private, to help them manage the security aspect of their information. As Lang (2019) says, "the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours."

One cannot use RMF without talking about Security controls, CIA Triad, and Impact Level. Let define them here, so the issue of their meaning as we refer to them is out of our way.

Security Controls, CIA Triad, Impact Level Definitions

Security Controls
Security controls are the management, operation, and technical safeguards of countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. Some examples of Security Controls: Account Monitoring and Control, Data Protectgion, Incident Response and Management, Data Recovery Capability, Inventory of Authorized and Unauthorized Devices, Malware Defences, Penetration Tests and Red Team Exercises.

CIA Triad
To a more elementary level, when talking about securing information, we means how to ensure Confidentiality, Integrity, and Availability, the CIA triad of that information. We can add other considerations, but the top three remain the most important aspect of information security. The following are the definitions of these terms:

Confidentiality can be understood as the opposite of Disclosure. With confidentiality, we mean the information being protected can only be disclosed or accessed to/by authorized parties. If someone were able to gain access to your private photos and disclose them without prior authorization, we would talk about the loss of confidentiality. One way to ensure confidentiality is with the application of encryption mechanisms.

Disclosing data to an unauthorized party means protected data or confidential information is in the wrong hands. If that information is not encrypted, for example, that means the unauthorized party can exploit it in any way he wants. After he decrypts and depending on what the contains is, can sell it or use it to commit illegal activities with the stolen data. According to Upcounsel (n.d), “a breach of confidentiality includes dealing with the ramifications of lawsuits, loss of business relationships, and employee termination.”

Integrity can be understood as the opposite of Alteration. With Integrity, we mean that data or information does not experience any change when in process, at rest, or in transit phases. Hashing mechanism is one way to provide data integrity.  Loss of data integrity incident has consequences to a business that can be of different kinds. Let say for example a malicious user injects malicious code into an executable file; the person can start taking control of the victim’s machine and start accessing the company network resources. This intruder can cause greater damage in the network close or more than what suffers a business when facing a confidentiality breach. As Sivathanu,  Wright, Zadok, (2005) say, “Operating systems that allow access to raw disks can inadvertently aid an attacker to bypass security checks in the file system, and cause damage to stored data.”  

Availability can be understood as the opposite of Destruction. With availability, we mean data or information is accessible when needed. When data is encrypted and cannot be accessed because the decryption key is lost, we talk about a lack of availability for the data. The damage a business can sustain when data is not available is huge. Loss of business is one of them. If a company cannot access his network due to distributed denial of service attack, DDoS, for example, and that no backup system is in place, the company will experience loss of money as they cannot operate.  

As an example of damage is the NonPetya ransomware that hit Maersk in 2017. According to Osborne (2018), Maersk has revealed that a devastating ransomware attack that struck businesses across Europe in 2017 required closure of the  "complete infrastructure" overhaul and the re-installation of thousands of machines. Because of this lack of availability, the author says Maersk lost money. Here was the comment about one of the Maersk executives: "Imagine a company where a ship with 10 to 20 thousand containers is entering a port every 15 minutes, and for ten days, you have no IT," Hagemann commented. "It's almost impossible even to imagine."

During the categorization step, Confidentiality, Integrity, and Availability in the context of RMF are determined. And with this, an impact level is applied. Low, Moderate, or High. For example, human resource personnel is being asked to send an Excel file of salaries information of the executive team to a company board member, what are the appropriate labels for this information?

(a) Confidentiality can be moderate since nowadays, the salary information of several executives is known or can be retrieved if need to. In the event the information fall in the wrong hands, there is nothing to be alarmed.
(b). As for the file integrity, I will say to be moderate also. This file can be intercepted by a bad actor, modify it and then send the modified version to the board member, the later will have certainly an incorrect information, but its consequences are not that catastrophic.
(c). For the availability, I will set it to low since if the network is not available to send the file on time, no big deal, I'm sure the board member can wait a little longer

The above explains what is called the Impact level. The notation in the example above will be: 
SC_Executive Salary Information = {(confidentiality, Moderate), (Integrity, Moderate), (Availability, Low)}. SC here is for Security Category.

RMF Application Process

The Risk Management Framework process involves six steps:
Step 1: Categorize the system and the information being processed, stored, and transmitted by the system.
Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring, and supplementing as needed.

Step 3: Implement the security controls and document how they are deployed.
Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.

Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.
Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.


Fig. 1: Risk Management six steps


As a business navigate the cybersecurity landscape, the application of risk management comes in handy since its application is not only reserved to the federal agencies but to public and private business as well. It is sure knowledge that so far, there is no yet ethical rules cyber professionals are to obverse, and the boundaries of what is considered as appropriate or not in the context of applying security mechanisms in different situations are so far blurry and left to each cyber professional best judgment. Cyber professionals are not bound, as it is in practice with doctors and lawyers to a certain set of ethical rules to follow to avoid running the risk of a license or some privileges being taken away.

So, the more cyber professionals know about how the RFM work, the more they will be likely to conduct themselves ethically faces to challenges the profession presents. In some other context, if one plans to work for the DoD in cybersecurity capacity, chances are that you will be required to have some familiarity with the RMF. According to Casey Lang (2019), "Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents."

Reference Library

Government and RMF

The US government applies the recommendations of the Risk Management Framework by its diverse Federal agencies. It is an integral part of the implementation of FISMA, the Federal Information Security Management Act. In the context of RMF, Steven Tipton (2018) enforces the application by the US government by saying: All federal agencies, RMF describes the process that must be followed to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and integrating ongoing risk management (continuous monitoring).


Reference Library


The Special Publication documents by the National Institute of Standard and Technology (NIST), especially the 800 series,  is another set of documents to add to the arsenal of all cybersecurity professionals. These publications describe policies, procedures, and guidelines for information security policy implementation. While they were originally intended for the US federal agencies, they are also suited to businesses of any kind. Its application was the main object of my learning I went through during the CSOL-530 class study and was an addition to my cybersecurity information baggage.
Learning how to categorize information, knowing how to set a  baseline of security controls is all good knowledge that increases the professionalism level of a cyber professional. One thing still true in cybersecurity is that there are no governing body so far as it is the case in medical field such as The Medical Board of California (MBC) or in the legal field such as The American Bar Association where its practitioners need to comply to a set of rules so that the ethical aspect is being constantly checked and validated and to maintain eligibility. Even though non-profit organizations such as (ISC)2 are feeling the vacuum, but still, their application has not reached the mainstream level enjoyed by other bodies in other fields, and having these NIST publications and knowing they are being produced by the US government adds more credit or trust to a cybersecurity engineer.

Special Publication by NIST is not a panacea to cybersecurity challenges, but as a society is making progress in its quest to securing data, and awareness is being injected into the field of information security, the contribution of these publications to an overall improvement to the cyberculture is undeniable. I know that if I'm being tasked to integrate information security and risk management solution for an organization, the use of NIST publications, 800 series, with no contest will be referred to and recommendations implemented.


As a security practitioner cognizant of the reality of challenges this new field poised to address, the main concern is to maintain a professional level that can be validated by best practices and being ethically irreproachable at the same time. And the more we are aware of those best practices, the better we become in promoting a cyber security-aware environment, which, as far as we can see,  is not ubiquity yet.  These documents are being updated regularly, and new ones added, making them more useful, especially that they are being referenced by several organizations as a model when creating documents or implementing information security solutions.

The increase in Internet communication, with its trove of opportunities bad actors are looking to exploit, having a risk management framework tailored to information security challenges can only add to the list of assets cyber professionals need to conduct their work ethically and efficiently.