Request Demo

The National Institutes of Standard and Technology’s Risk Management Framework (RMF) is a foundational aspect to managing cybersecurity risk. When coupled with the NIST Cybersecurity Framework (CSF), the NIST RMF is a powerful tool for organizations regardless of size. The RMF is a process-based framework practically applied using multiple more directly practical special publications from NIST - SP 800-30 being one of them. While the NIST CSF is the gold standard for cybersecurity management, being the most comprehensive and flexible, it is also one of the most challenging to implement. In his most recent webinar, CyberSaint Chief Product Officer Padraic O’Reilly discusses the connections between the CSF, RMF and new Privacy Framework - here we’ll be diving into how to use the RMF and SP 800-30 to direct how your organization implements the NIST CSF.

What is NIST SP 800-30

According to NIST: The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations…

SP 800-30 gives risk management teams the ability to examine risk through the lenses necessary to relay that risk back to business leaders: threat type, business impact, and financial impact. Relaying these identified risks in this format helps bridge the gap between cybersecurity and business leaders - as information security becomes an increasing concern at the CEO and Board level, using the same terminology is paramount. SP 800-30 helps technical leaders put cyber risks into a business context.

Using a NIST Risk Assessment to Implement the NIST CSF

The NIST RMF is predicated on actively conducting risk assessments to inform control implementation which makes SP 800-30 so critical to both NIST’s framework for risk management as well as cybersecurity management. The CSF is driven by outcomes and maps onto specific controls - overall, though for strategic planning, the NIST CSF needs a risk assessment to inform where to begin. While O'Reilly sees any framework for risk quantification as a step in the right direction (from a three-by-three matrix through to 800-30 and the FAIR model) he believes that it comes down to how much value the outcomes are to the other members of your organization.

A NIST SP 800-30 risk assessment specifically is of value since it rolls up well into the CSF given that they were developed by the same body. While the CSF is flexible enough to use any risk assessment framework, O'Reilly recommends SP 800-30 for established infosec programs and uses a combination of 800-30 and the FAIR model in the CyberStrong platform.

Tools for Conducting An SP 800-30 Risk Assessment

Implementing both the NIST RMF and CSF relies on a baseline risk assessment - both frameworks are designed to be as valuable as fast as possible. Baselining with a risk assessment informs where organizations should start when implementing both the NIST CSF as well as the RMF. This integrated approach, though, is often stifled by the tools organizations use to support their teams - in short, using spreadsheets with these two gold-standards is insufficient. Integrated risk management tools like the CyberStrong platform help organizations integrate the risk and security assessments into one platform - helping security leaders understand how these two pieces fit together.

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...