NIST SP 800-37 Rev2: Risk Management Framework Step 6 – Monitor (SP 800-53a)

NIST SP 800-37 Rev2: Risk Management Framework Step 6 – Monitor (SP 800-53a)

            The final step of the Risk Management Framework (RMF) is to monitor security controls. This step is where watching for and addressing security incidents and environmental reviews for changes that affect security takes place. Under section 3.7 of NIST Special Publication 800-37 Rev 2, (Joint Task Force, 2018) its purpose is “to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.”

Importance of Monitoring

            While each of the other steps are as equally important within the RMF Life Cycle, none of the previous steps would matter if there wasn’t some process in place to see if they were working, needed adjusting, or alerting of any incidents that are taking place. Monitoring could be broken down into seven steps, each designed with expected outcomes to better the security posture of a system.

System and Environment Changes

Resulting in updating security plans and assessment reports, this step watches the continuous changes in the system and environment that can affect risk. These changes can be user-based, physical environment, technological and machine upgrades and patches, or anything that modifies the overall system and its health.

Ongoing Assessments

            Review all the security controls inside the system. This covers all controls, such as security plans, assessment plans, information from auditing systems, log servers, plans of action, audit reviews, and other controls, policies, agreements, and so on. Should any of these inputs are no longer relevant or need adjusting, this would be the step where these would be updated and reported in security assessment reports.

Ongoing Risk Response

            Mitigation and response to risks as they are identified throughout the monitoring process and risk assessments. Risk will either be addressed and rectified or it will be accepted at this point. 

Authorization Package Updates

Plans of action, procedures, and reports will be updated.

Security and Privacy Reporting

            Appropriate shareholders and officials will receive updated reports of the security posture of the systems and organization. These typically go to C-Suite level executives, boards, senior security officers, and other similar roles within the organization.

Ongoing Authorization

            Continuous review of the security posture of the system. Is what was considered acceptable previously still acceptable, or should it now be mitigated? If the risk is still acceptable, the authorization will remain intact.

System Disposal

            Whenever a system is removed from operation, there must be a process by which the system is properly decommissioned. This could include data destruction, policy retirement, or any other strategy that retires and removes unused systems and strengthens the security posture by removing the risk entirely.

Consequences if monitoring was not included in the RMF Life Cycle

            Monitoring is a critical step in the process to ensure that the controls in place are working and that the policies and procedures fit the organization’s needs while also ensuring that risk is addressed and mitigated. Failure to continuously assess and modify old and new procedures will ultimately leave the organization exposed to risks under the guise of false security.

Works Cited

Joint Task Force. (2018). National Institute of Standards and Technology Special Publication 800-37, Revision 2. National Institute of Standards and Technology.