By Nancy Peaslee and Rodney Morris

Looking for cost effective execution of the Risk Management Framework (RMF)? Need to prioritize protection of your most critical systems and assets? Want to reduce complexity and automate monitoring and controls?

A well-thought-out RMF framework will ensure your government agency takes the right steps to align your risk tolerance with the layers of security needed to adequately protect your network systems and data. Government leaders understand the importance of safeguarding classified and privacy data and documenting compliance with cybersecurity and privacy requirements. However, we often see organizations overlooking ways to implement RMF more cost effectively.

Specifically, here are a few opportunities in your RMF to take a closer look at:

  • Assess a risk tolerance score for all of your organization’s systems and assets
  • Prioritize security protections for the most critical and strategic assets
  • Reduce resources and complexity required with automated monitoring
  • Review RMF policies annually and when processes change

Customizing a Risk Management Framework to Your Agency

1. Risk Assessment: Detailed Audit of All Systems and Assets
It all starts with a strategic look at your organization’s goals and priorities for managing security and privacy risk, including:

  • Defining where the organization is now
  • Identifying gaps where risks lie
  • Assessing requirements currently in place
  • Determining policies and processes still needed

A key component of the risk assessment is a detailed audit of network systems and assets – from each system to every computer to all data – to detect security gaps and vulnerabilities of each asset. It involves collecting information on your network topology, policies, configuration documentation and reports that demonstrate your compliance to date. Leadership should be engaged from the beginning of this detailed process.

2. Risk Profile: Determine Risk Tolerance and Risk Strategy
To create a risk profile, categorize each risk and prioritize the risk to the organization’s mission, functions, and operations based on the likelihood of the scenario happening, its consequences, and the severity of the impact. For each asset, consider whether to accept, mitigate, or transfer the risk and determine a risk tolerance score.

Key questions to consider:

  • Do we need to address this or can we transfer the risk?
  • Which assets are strategic, high priority areas to protect?
  • Which risks could have the greatest impact on operations?
  • Do we need to mitigate due to security requirements? privacy compliance?

The more protections built in to manage risks, the more resources are needed and higher the costs to the organization. Optimally, you want to formulate a risk management strategy that aligns your risk tolerance with the right level of requirements. Organizations gain operational efficiencies by focusing higher levels of security on what is most important: strategic, high priority areas reflected in your risk tolerance scores.

“The more strategic or valuable the information,
the more protection is needed or you’ll have higher risk
and potentially adverse consequences.”
— Rodney Morris, Chief Technology Officer, Graham Tech

3. RMF Roadmap: Create and Implement a Customized Plan
Now, you’re ready to customize your RMF roadmap for your organization mapping out consistent, cost-effective risk management processes needed to address security and privacy risks identified during your risk assessment. You’ll select a baseline of security controls, document how controls are deployed, and assess that controls are in place and produce the desired results. It is key to build in continuous monitoring and a configuration management process for iterative refinements. Your RMF roadmap should be built into detailed project plans and part of your DevOps process.

4. Monitor Controls: Automate Vulnerability Scans and Alerts
Much of the operational efficiencies to be gained result from thoughtfully considering automated tools for monitoring security controls. A number of government agencies have realized cost efficiencies with automated tools for vulnerability scans, managing dashboards, tracking and analyzing data, and pre-set alerts. It is important to maintain the documentation demonstrating compliance – from policies and security settings to scanned reports to screen captures showing requirement compliance.

5. Validate Risk Tolerance: Assess Level of Risk Willing to Accept
After evaluating your controls, reviewing your scans, and analyzing your data, you have a better idea of the level of risk within your organization. You may choose to work on further risk mitigations or accept the current level of risk.

6. Iterative Refinements: Establish Baseline and Automate Alerts for Changes
It is vital to map out your configuration management process for iterative refinements in the software development life cycle. You’ll establish your baseline, define how you’ll track changes over time, and your documentation processes.

A Change Control Board requests documentation on the rationale for changes to the baseline and is responsible for approving these changes. While most organizations log changes, often these logs are rarely looked at. Disorganization or a lack of automation in the configuration management processes are major issues, such as not diligently keeping track of who is changing what. It is helpful to set up automated alerts so admins are aware immediately of specific changes to check in on items moving away from the baseline. You’ll want to determine a schedule for reviewing changes, such as:

  • Agile development – every 2 weeks after each sprint
  • Waterfall development – every 3-4 months after each cycle
  • Breach – anytime a breach or new threat is identified

Is your network safe? Nobody can answer that question conclusively. Having a Risk Management Framework is vital to the security of all your assets and ensuring privacy compliance. It is essential that your organization carefully thinks through its risk tolerance, risk strategy, and defensive layers of security needed to minimize vulnerabilities from today’s omnipresent threat of cybersecurity threats. Automated scans and alerts are now a requirement to keep up with new vulnerabilities real-time.

Our advice: Start with a risk assessment to audit assets and identify your risk profile. Graham Technologies is adept at creating and implementing a Risk Management Framework tailored to your software development life cycle or your data center – often delivering cost efficiencies through automation and matching requirements to risk tolerance.

Contact us today to learn how we can help your organization with a Risk Assessment to carefully evaluate your risk tolerance, risk strategy, and the right layers of security needed.