The closest thing to a “NIST Security Framework” is the NIST risk management framework 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems (revision 1)
DIARMF is based on this NIST Security Framework. It has 6 steps: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.
NIST Security Framework – Step 1. Categorize
The first risk management framework step is categorization. Categorization is done by the system owner with FIPS 199 and NIST 800-60.
NIST Security Framework – Step 2. Select
Selection of security controls is done with FIPS 200 and NIST SP 800-53, More on DIARMF – Select
NIST Security Framework – Step 3. Implement
Using the System Security Plan developed during steps 1 and 2, the organization responsible for the categorized system can begin implementation of the selected security controls.
More on DIARMF – Implement
NIST Security Framework – Step 4. Assess
After the security controls are implemented, step 4 is used to assess those controls. This is done using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations.
More on DIARMF – Assess
NIST Security Framework – Step 5. Authorize
In step 5, an Authorizing Official makes a formal, written acceptance of the risks.
More on DIARMF – Authorization
NIST Security Framework – Step 6. Continuous Monitoring
Maintaining the security posture of the network / system mean doing continuous monitoring.
More on DIARMF – Continuous Monitoring
Leave a Reply
You must be logged in to post a comment.