Risk Management Framework (RMF) Overview

If organizations decide to take the FISMA approach, they select and specify various security controls for their systems. This is done as a part of an enterprise-wide information security program. The FISMA approach includes management of risks faced by the organization as a whole and the individuals involved with all operational processes.

The FISMA approach gives an effective framework to select security controls in a system that are necessary to protect operations, individuals, and the assets of an organization.

Risk-Based Approach

The FISMA risk management framework is a process for companies that combines risk management activities and security into the system’s lifespan. This approach takes effectiveness into account as well as efficiency and constraints that an organization faces due to laws, orders, policies, regulations, and more.

The following are activities that come with the FISMA risk management approach:

• Prepare Step -This step includes taking care of all essential activities in an organization, the mission of the business and its processes along with all the information system levels of the company.
• Categorize Step – Here the information is processed, stored, and transmitted based on impact analysis.
• Select Step – Here the security controls are selected tailored to the company. They supplement the existing security controls when needed based on the company’s risk assessment.
• Implement Step – Here security controls are implemented and the process is documented based on how it works within the organization.
• Assess Step – This step involves the assessment of security controls using predefined procedures so that the company can know whether or not the controls have been implemented correctly.
• Authorize Step – This step is based on the risk to the operations and assets resulting from the risk management system to determine which risks are acceptable and which are not.
• Monitor Step – The monitoring step is an ongoing process that assesses the effectiveness of the controls and documents the changes that have been made to the risk management system.