NIST 800-30 and the Risk Assessment Framework
Risk assessment has been and continues to be, one of the more challenging cybersecurity practices that many organizations will put into place. Unlike simple security control implementation and maintenance, risk assessment calls for your organization to understand how adopting, or not adopting, particular controls, operations or processes can impact security.
As the federal government and the defense supply chain are turning more and more attention to the importance of cybersecurity (including President Biden’s Executive Order on the subject and the several bills in Congress addressing limitations in our security posture), businesses working in that area will be expected to implement risk-based compliance. This fact, in turn, means that you must understand critical government frameworks that speak about risk.
In this article, we are discussing NIST 800-30 and how it serves as a foundation for risk assessment in government compliance.
What Is the NIST 800 Series of Documents?
At the heart of almost every U.S government’s technical and cyber regulations is the National Institute of Standards and Technology (NIST). This organization often works with regulatory bodies like the FedRAMP Joint Authorization Board (JAB), the CMMC Authorization Board (CMMC-AB) and nearly every federal or defense agency tasked with administering technology for the service or defense of the American public.
As part of their responsibilities, NIST publishes regular documentation and reports on cybersecurity regulations and security frameworks. These documents, often called “Special Publications” (or SPs) cover everything from cybersecurity infrastructure, cloud security, network security and risk assessment.
One such series of these publications, called the 800 series, specifically covers computer policy, cybersecurity, security policies and procedures that agencies and contractors must adhere to while working with sensitive government data. Some of the more well-known examples of 800-series documents include:
- NIST SP 800-53: This document covers a broad and comprehensive set of security controls and categories integral to for cybersecurity. Within this document, you’ll find security control families covering Identity and Access Management, physical security measures, encryption and security, privacy controls and other key security areas. It serves as the basis for several federal and DoD frameworks, including FedRAMP.
- NIST SP 800-171: This publication includes definitions and requirements for the handling, storage, transmission and processing of Controlled Unclassified Information (CUI). This unique category of data covers information generated as part of operations with certain federal and defense agencies that aren’t defined as classified information but nonetheless require special protection measures.
- NIST SP 800-125: Many agencies and contractors use systems that implement technology virtualization, which comes with its own set of security challenges. 800-125 defines virtualization for government use and outlines requirements for securing hardening and provisioning virtual systems.
- NIST SP 800-122: 800-122 covers recommendations from NIST on the handling of Personal Identifiable Information (PII), including the security measures in place protecting that data at-rest and in-transit and the procedures used to legitimately disclose or prevent the unauthorized disclosure of that data.
- NIST SP 800-37: This document defines the Risk Management Framework (RMF) and its six-step process.
There are dozens of documents in the 800 series, including new publications with up-to-date revisions and special addendums on documents to help cover niche use cases. One, in particular, NIST SP 800-30, covers risk assessment and management and informs one of the most important compliance frameworks that most government contractors will engage with.
What is NIST 800-30 and How Does it Apply to RMF?
NIST SP 800-30, titled “Guide for Conducting Risk Assessments” does exactly what that title suggests–defines a risk management process with assessment practices to help organizations implement those practices in their infrastructure.
More concretely, NIST 800-30 outlines this process as a relationship between four different steps:
- Frame: The first thing that an organization should do is frame their risk profile. This includes creating a risk management strategy on how you intend to frame risk, define acceptable risk (based on regulations and operations) and what it would look like procedurally for the organization to implement the following three steps.
- Assess: Risk assessment is the act of investigating and understanding the level of risk in your infrastructure or system development life cycle. In general, this means understanding the “potential adverse impacts to organizational operations and assets, individuals, other organizations and the economic and national security interests of the United States arising from the operation and use of information systems and the information processed, stored and transmitted by those systems” This mouthful simply means that you must be able to define policies and standards by which you understand how design and implementation decisions impact security or lack thereof, and how you justify that risk in the context of your business operations and compliance obligations.
- Monitor: Simply put, what are your procedures and policies around monitoring risk as it evolves in your system. New components, new security threats, new upgrades and even new personnel can impact your risk, and you must have something in place to monitor that shifting risk profile.
- Respond: Now that you understand, assess and monitor risk, how do you respond to demands for risk reassessment? What remediation measures do you use to update systems in the face of risk profile changes?
It’s important to note that none of these are either a concrete “first” or “last” step. While your company will follow these steps in this order initially, the continuing development and remediation lifecycle of any system will require you to continually revisit each step and re-evaluate your strategies, risk profile and response efforts.
Following this risk management breakdown, NIST 800-30 additionally integrates into the requirements of the Risk Management Framework (RMF). Broadly speaking, RMF defines a more comprehensive six-step approach to implementing security controls based on a risk-focused approach. These six steps are:
- Categorize: identify risk potential and make security decisions based on risk management strategies.
- Select: Use risk assessments to select specific security controls as part of compliance requirements. This is different from simply checking boxes to meet compliance: instead, RMF expects that you deploy controls based on both security compliance and informed risk strategies.
- Implement: Implement security controls based on the risk assessment and to make choices about control alternatives.
- Assess: Once implementation is complete, use data from implemented controls to inform further risk assessments and strategies.
- Authorize: Using both risk assessments, risk strategies and security control insights, authorize technical and business leadership to make decisions regarding risk and cybersecurity.
- Monitor: Continually monitor the operations of controls and re-evaluate risk, taking action to remediate issues if necessary to align security controls with risk goals.
According to NIST 800-30, an organization should be able to, depending on their business objectives, utilize the four-step risk management process at any point in their RMF compliance journey. The key aspect of ensuring smooth deployment of both the risk management process and RMF is risk communication and information sharing, where each stakeholder has access to the information they need to make informed decisions regarding risk assessment and management.
Risk assessment and management are critical practices for any organization working with the federal government. Beyond that, understand risk and how it impacts security controls, implementation and business decision making is quickly emerging as a crucial process to help fight emerging security threats from organized and state-sponsored hackers. Understanding and complying with the guidelines in NIST SP 800-30 and RMF are an incredible first step in this process.
Want to Learn More About NIST 800-30 Compliance with Lazarus Alliance?
Are you ready to shift to a risk-focused cybersecurity posture but don’t know where to start? Call Lazarus Alliance at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services.