Risk assessment has been and continues to be, one of the more challenging cybersecurity practices that many organizations will put into place. Unlike simple security control implementation and maintenance, risk assessment calls for your organization to understand how adopting, or not adopting, particular controls, operations or processes can impact security.
As the federal government and the defense supply chain are turning more and more attention to the importance of cybersecurity (including President Biden’s Executive Order on the subject and the several bills in Congress addressing limitations in our security posture), businesses working in that area will be expected to implement risk-based compliance. This fact, in turn, means that you must understand critical government frameworks that speak about risk.
In this article, we are discussing NIST 800-30 and how it serves as a foundation for risk assessment in government compliance.
What Is the NIST 800 Series of Documents?
At the heart of almost every U.S government’s technical and cyber regulations is the National Institute of Standards and Technology (NIST). This organization often works with regulatory bodies like the FedRAMP Joint Authorization Board (JAB), the CMMC Authorization Board (CMMC-AB) and nearly every federal or defense agency tasked with administering technology for the service or defense of the American public.
As part of their responsibilities, NIST publishes regular documentation and reports on cybersecurity regulations and security frameworks. These documents, often called “Special Publications” (or SPs) cover everything from cybersecurity infrastructure, cloud security, network security and risk assessment.
One such series of these publications, called the 800 series, specifically covers computer policy, cybersecurity, security policies and procedures that agencies and contractors must adhere to while working with sensitive government data. Some of the more well-known examples of 800-series documents include:
- NIST SP 800-53: This document covers a broad and comprehensive set of security controls and categories integral to for cybersecurity. Within this document, you’ll find security control families covering Identity and Access Management, physical security measures, encryption and security, privacy controls and other key security areas. It serves as the basis for several federal and DoD frameworks, including FedRAMP.
- NIST SP 800-171: This publication includes definitions and requirements for the handling, storage, transmission and processing of Controlled Unclassified Information (CUI). This unique category of data covers information generated as part of operations with certain federal and defense agencies that aren’t defined as classified information but nonetheless require special protection measures.
- NIST SP 800-125: Many agencies and contractors use systems that implement technology virtualization, which comes with its own set of security challenges. 800-125 defines virtualization for government use and outlines requirements for securing hardening and provisioning virtual systems.
- NIST SP 800-122: 800-122 covers recommendations from NIST on the handling of Personal Identifiable Information (PII), including the security measures in place protecting that data at-rest and in-transit and the procedures used to legitimately disclose or prevent the unauthorized disclosure of that data.
- NIST SP 800-37: This document defines the Risk Management Framework (RMF) and its six-step process.
There are dozens of documents in the 800 series, including new publications with up-to-date revisions and special addendums on documents to help cover niche use cases. One, in particular, NIST SP 800-30, covers risk assessment and management and informs one of the most important compliance frameworks that most government contractors will engage with.
What is NIST 800-30 and How Does it Apply to RMF?
NIST SP 800-30, titled “Guide for Conducting Risk Assessments” does exactly what that title suggests–defines a risk management process with assessment practices to help organizations implement those practices in their infrastructure.
More concretely, NIST 800-30 outlines this process as a relationship between four different steps:
- Frame: The first thing that an organization should do is frame their risk profile. This includes creating a risk management strategy on how you intend to frame risk, define acceptable risk (based on regulations and operations) and what it would look like procedurally for the organization to implement the following three steps.
- Assess: Risk assessment is the act of investigating and understanding the level of risk in your infrastructure or system development life cycle. In general, this means understanding the “potential adverse impacts to organizational operations and assets, individuals, other organizations and the economic and national security interests of the United States arising from the operation and use of information systems and the information processed, stored and transmitted by those systems” This mouthful simply means that you must be able to define policies and standards by which you understand how design and implementation decisions impact security or lack thereof, and how you justify that risk in the context of your business operations and compliance obligations.
- Monitor: Simply put, what are your procedures and policies around monitoring risk as it evolves in your system. New components, new security threats, new upgrades and even new personnel can impact your risk, and you must have something in place to monitor that shifting risk profile.
- Respond: Now that you understand, assess and monitor risk, how do you respond to demands for risk reassessment? What remediation measures do you use to update systems in the face of risk profile changes?
It’s important to note that none of these are either a concrete “first” or “last” step. While your company will follow these steps in this order initially, the continuing development and remediation lifecycle of any system will require you to continually revisit each step and re-evaluate your strategies, risk profile and response efforts.
Following this risk management breakdown, NIST 800-30 additionally integrates into the requirements of the Risk Management Framework (RMF). Broadly speaking, RMF defines a more comprehensive six-step approach to implementing security controls based on a risk-focused approach. These six steps are:
- Categorize: identify risk potential and make security decisions based on risk management strategies.
- Select: Use risk assessments to select specific security controls as part of compliance requirements. This is different from simply checking boxes to meet compliance: instead, RMF expects that you deploy controls based on both security compliance and informed risk strategies.
- Implement: Implement security controls based on the risk assessment and to make choices about control alternatives.
- Assess: Once implementation is complete, use data from implemented controls to inform further risk assessments and strategies.
- Authorize: Using both risk assessments, risk strategies and security control insights, authorize technical and business leadership to make decisions regarding risk and cybersecurity.
- Monitor: Continually monitor the operations of controls and re-evaluate risk, taking action to remediate issues if necessary to align security controls with risk goals.
According to NIST 800-30, an organization should be able to, depending on their business objectives, utilize the four-step risk management process at any point in their RMF compliance journey. The key aspect of ensuring smooth deployment of both the risk management process and RMF is risk communication and information sharing, where each stakeholder has access to the information they need to make informed decisions regarding risk assessment and management.
Conclusion
Risk assessment and management are critical practices for any organization working with the federal government. Beyond that, understand risk and how it impacts security controls, implementation and business decision making is quickly emerging as a crucial process to help fight emerging security threats from organized and state-sponsored hackers. Understanding and complying with the guidelines in NIST SP 800-30 and RMF are an incredible first step in this process.
Want to Learn More About NIST 800-30 Compliance with Lazarus Alliance?
Are you ready to shift to a risk-focused cybersecurity posture but don’t know where to start? Call Lazarus Alliance at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services.
Third-Party Risk Management and Defense Against AI-Driven Cyber Threats
Threat actors are leveraging AI for everything from hyper-realistic phishing schemes to deepfake impersonations, synthetic identity creation, and autonomous intrusion attempts. While this is a threat to your own organization, it’s also opening up threats in the supply chain. These attacks don’t arise in a vacuum. They often exploit vulnerabilities within an organization’s third-party vendor...Continue reading→
Risk Management and Governance in the Face of Ransomware and APTs
Modern threats go beyond exploiting technical vulnerabilities; they target gaps in how organizations govern themselves, plan strategically, and maintain operational resilience. Risk management has never been more important than now, and this is especially true when facing ransomware and advanced persistent threats. Cybersecurity hasn’t been an isolated issue for years, and most compliance leaders realize...Continue reading→
SOC 2 and Third-Party Vendor Risk Management: A Comprehensive Guide for Decision-Makers
While outsourcing can drive efficiency and innovation, it also introduces significant risks, particularly concerning data security and compliance. Many security frameworks have taken up the responsibility of helping organizations manage threats in this context, and SOC 2 is no different. This article explores the intersection of SOC 2 compliance and third-party vendor risk management, providing...Continue reading→
Introduction to Targeted Risk Analysis (TRA) in PCI DSS 4.0
The Payment Card Industry Security Standards Council (PCI SSC) recently released a new document guiding targeted risk analysis. This approach to security is a cornerstone of the PCI DSS 4.0 update, and yet, for many businesses, this is something new that they may need help understanding. This article will discuss Targeted Risk Analysis, its role...Continue reading→
What Is Proactive Cybersecurity? Preparing for Threats Before They Strike
Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,...Continue reading→
CMMC 2.0, NIST, and Risk Management
Cyber threats continue to grow in complexity and sophistication. To address this evolution, the Department of Defense has introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0 to ensure that defense contractors maintain robust cybersecurity practices to protect Controlled Unclassified Information (CUI). To address one of the most important processes in modern security (risk management), CMMC...Continue reading→
What Is OCTAVE and OCTAVE Allegro?
The importance of risk management cannot be overstated… and yet, many enterprises struggle with the practice due to a lack of standardization or expertise. And while the challenges that businesses face implementing risk management are understandable, they are no longer acceptable. This article will provide an in-depth overview of OCTAVE Allegro, a framework developed to...Continue reading→
What Is the Information Security Risk Management Process of ISO 27005?
Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices.
What Is NIST 800-161?
With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk...Continue reading→
What Is a Risk Appetite Statement?
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap...Continue reading→
