Risk assessment has been, and continues to be, one of the more challenging cybersecurity practices that many organizations will put into place. Unlike simple security control implementation and maintenance, risk assessment calls for your organization to understand how adopting, or not adopting, particular controls, operations or processes can impact security. Show As the federal government and the defense supply chain are turning more and more attention to the importance of cybersecurity (including President Biden’s Executive Order on the subject and the several bills in Congress addressing limitations in our security posture), businesses working in that area will be expected to implement risk-based compliance. This fact, in turn, means that you must understand critical government frameworks that speak about risk. In this article, we are discussing NIST 800-30 and how it serves as a foundation for risk assessment in government compliance. What Is the NIST 800 Series of Documents?At the heart of almost every U.S. government's technical and cyber regulations is the National Institute of Standards and Technology (NIST). This organization often works with regulatory bodies like the FedRAMP Joint Authorization Board (JAB), the CMMC Authorization Board (CMMC-AB) and nearly every federal or defense agency tasked with administering technology for the service or defense of the American public. As part of their responsibilities, NIST publishes regular documentation and reports on cybersecurity regulations and security frameworks. These documents, often called “Special Publications” (or SPs) cover everything from cybersecurity infrastructure, cloud security, network security and risk assessment. One such series of these publications, called the 800 series, specifically covers computer policy, cybersecurity, security policies and procedures that agencies and contractors must adhere to while working with sensitive government data. Some of the more well-known examples of 800-series documents include:
There are dozens of documents in the 800 series, including new publications with up-to-date revisions and special addendums on documents to help cover niche use cases. One, in particular, NIST SP 800-30, covers risk assessment and management and informs one of the most important compliance frameworks that most government contractors will engage with. What is NIST 800-30 and How Does it Apply to RMF?NIST SP 800-30, titled “Guide for Conducting Risk Assessments” does exactly what that title suggests--defines a risk management process with assessment practices to help organizations implement those practices in their infrastructure. More concretely, NIST 800-30 outlines this process as a relationship between four different steps:
It’s important to note that none of these are either a concrete “first” or “last” step. While your company will follow these steps in this order initially, the continuing development and remediation lifecycle of any system will require you to continually revisit each step and re-evaluate your strategies, risk profile and response efforts. Following this risk management breakdown, NIST 800-30 additionally integrates into the requirements of the Risk Management Framework (RMF). Broadly speaking, RMF defines a more comprehensive six-step approach to implementing security controls based on a risk-focused approach. These six steps are:
According to NIST 800-30, an organization should be able to, depending on their business objectives, utilize the four-step risk management process at any point in their RMF compliance journey. The key aspect of ensuring smooth deployment of both the risk management process and RMF is risk communication and information sharing, where each stakeholder has access to the information they need to make informed decisions regarding risk assessment and management. ConclusionRisk assessment and management are critical practices for any organization working with the federal government. Beyond that, understand risk and how it impacts security controls, implementation and business decision making is quickly emerging as a crucial process to help fight emerging security threats from organized and state-sponsored hackers. Understanding and complying with the guidelines in NIST SP 800-30 and RMF are an incredible first step in this process. Want to Learn More About NIST 800-30 Compliance with Lazarus Alliance?Are you ready to shift to a risk-focused cybersecurity posture but don't know where to start? Call Lazarus Alliance at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services.
NIST 800-30 is a document developed by National Institute of Standards and Technology in furtherance of its statutory responsibilities under the Computer Security Act of 1987 and the Information Technology Management Reform Act of 1996. Q1. What is the purpose of NIST Special Publication 800-300? Ans. The main purpose of NIST
Special Publication 800-300 is to help the organizations manage their
IT-related mission risks using a better approach. The NIST publication also
guides and provides information on how to achieve security controls in a cost
effective manner. Q2. What is the principal goal of an organization’s risk management process? Ans. The principal goal of an organization’s risk management process is to protect the organization and its ability to perform their mission, not just its IT assets. The risk management process should not be treated primarily as a technical function but as an essential management function of the organization. Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. Q3. According to NIST, what three processes compose risk management? Ans. The three processes that compose the risk management are: i.
Risk Assessment ii. Risk Mitigation iii. Evaluation and Assessment Q4. How does risk management relate to the System Development Life Cycle (SDLC) Ans. Risk management process and the System Development Life Cycle (SDLC) can be closely related. Risk management can be completely integrated into each phase of the SDLC as it is an iterative process that can be performed during each major phase of SDLC. In the first phase of Initiation the different risks can be identified and in the next phase of Development these identified risks can be used to support the security analyses of the IT system. Similarly in the other phases also one can perform risk management. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. Q5. NIST 800-30 defines seven Information Assurance “key roles”. Name and briefly describe each. Ans. The seven Information Assurance “key roles” defined in NIST 800-30 are: i. Senior Management – ensures that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. ii. Chief Information Officer (CIO) – responsible for the agency’s IT planning, budgeting, and performance include its information security components. iii. System and information owners – ensures that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and the data they own. iv. Business and Functional Managers – takes an active role in the risk management process. v. ISSO – responsible for security programs, including risk management. vi. IT Security Practitioners – responsible for proper implementation of security requirements in their IT systems. vii. Security Awareness Trainers – responsible for
developing appropriate training materials and incorporate risk assessment into
training programs to educate the end users. Q6. How does NIST 800-30 define the security primitives, threat, vulnerability and risk? Ans. Threat is defined as a potential for a threat-source to exercise a specific vulnerability; accidentally or intentionally. Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls thus causing a violation of the security policy. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Q7. How is a threat source defined? Name three common threat sources. Ans. Threat source is defined as a intent or a method that is targeted at the intentional exploitation of a vulnerability or that may accidentally trigger a vulnerability. The three common threat sources can be natural, human, or environmental. Q8. According to NIST, whose responsibility is IT Security? (technical or management) Ans. IT security is the responsibility of both the technical and management teams as the organization’s security is in the hands of IT security program managers and security officers. They both are involved in risk management. Q9. What is a security control? Define: technical controls, management controls, and operational controls. Ans. Security control is a
measure which when used appropriately, can prevent, limit, or deter
threat-source damage to an organization’s mission. Technical controls are
configured to protect against given types of threats ranging from simple to
complex measures and usually involve system architectures; engineering
disciplines and security packages with a mix of hardware, software and
firmware. Management security controls are implemented to manage and reduce the
risk of loss and to protect an organization’s mission focusing on the
stipulation of information protection policy, guidelines, and standards, which
are carried out through operational procedures to fulfill the organization’s
goals and missions. Operational control is used to correct operational
deficiencies that could be exercised by potential threat-sources. Q10. How should the adverse impact of a security event be described? Ans. The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality. Q11. Describe the difference between quantitative and qualitative assessment? Ans. Qualitative and quantitative assessment both are used for describing the impact analysis and have their own advantages and disadvantages. Qualitative impact analysis prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities but does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult. Quantitative impact analysis provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls. This form of analysis makes use of numerical ranges for expressing the measurement thereby making the meaning of the analysis unclear and hence requiring the result to be interpreted in a qualitative manner. Q12. Name and describe six risk mitigation options. Ans. The six risk mitigation options are: i. Risk Assumption: accepts the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level ii. Risk Avoidance: avoids the risk by eliminating the risk cause and/or consequence iii. Risk Limitation: limits the risk by implementing controls that minimize the adverse impact of a threat’s exercising vulnerability. iv. Risk Planning: manages risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls. v. Research and Acknowledgement: lowers the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability. vi. Risk Transference: transfers the risk by using other options to compensate for the loss, such as purchasing insurance. Q13. What is residual risk? Ans. Residual risk is defined as the risk remaining after the implementation of new or enhanced controls. NIST 800-30 pdf can be found at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf |