There are many approaches to managing risk and subsequently many different RMFs. In fact, ENISA128 enumerated no less than 29 such RMFs with potential interoperability— including the HITRUST RMF —in support of an initiative to develop an interoperable EU RMF.129 Selection was based on the following criteria:
- “Risk management frameworks and methodologies used as best practice in the industry [emphasis added], regardless of their scope, type and size of organisation, target audience, etc.;
- “Risk management frameworks and methodologies proposed as standards and guidelines by international and national standardisation bodies;
- “Risk management methodologies and methods proposed by academia.”130
Criteria for exclusion of an RMF was explained as follows.
We excluded risk management frameworks and methodologies that were obsolete (i.e., those that had not been supported for more than ten years) and that did not support the fundamental risk management processes (i.e., those that provide guidance only for risk treatment, etc.). Further, we excluded risk management frameworks and methodologies that were proposed in academic sources but did not provide specific guidance for their implementation. Thus, the survey aimed to identify the state-of-the-art risk management frameworks and methodologies [emphasis added], rather than to provide an exhaustive list of all risk management frameworks and methodologies.131
In addition to those provided by ISO, NIST, and HITRUST, notable RMFs included in the list of “prominent risk management frameworks and methodologies that are currently in use”132 include but aren’t limited to those provided by Germany’s BSI,133 Carnegie Mellon University134 in the U.S., the European Telecommunications Standards Institute (ETSI),135 Luxembourg’s Cyberworld Awareness and Security Enhancement Services (CASES),136 the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI),137 the Spanish El Ministerio de Asuntos Económicos y Transformación Digital,138 the European Commission Directorate-General for Communication Security,139 and The Open Group,140 among others.
ENISA’s analysis of these frameworks resulted in the identification of eight features “that enable (or limit) the potential for interoperability of [RMFs] and methodologies.”141
- Support for other risk management standards, frameworks, and methodologies
- Breadth of the risk management components addressed
- Whether the approach addresses assets, scenarios, or both
- Use of quantitative, semi- or quasi-quantitative, or quantitative methods of evaluating risk
- Types of catalogs or libraries used to support the approach
- Method of risk calculation
- Languages supported by the method (with an English version being of advantage)
- Cost of licensing
ENISA’s final report on interoperability142 includes an evaluation of 16 of the 29 standards, frameworks, and methods based on a more detailed assessment and scoring model.143 As the HITRUST RMF was not included, we provide an evaluation of the HITRUST RMF consistent with the 16 ENISA provided—first without the implementation of QQRRA and then with its implementation—in the table below.
Table 5. Potential Interoperability of the HITRUST RMF
| Standards, Frameworks, and Methodologies | Generic Aspects | FUNCTIONAL | NON-FUNCTIONAL | |||||||
| Risk Identification | Risk Assessment | Risk Treatment | ||||||||
| Asset-based (AB) / Scenario-based (SB) | Quantitative (QT) / Qualitative (QL) Approach | Asset Taxonomy (30%) | Asset Valuation (50%) | Threat Catalogues (10%) | Vulnerability Catalogues (10%) | Risk Calculation Method | Measure Catalogue & Calculation of Residual Risk | Supported Languages | Supports Other Related Frameworks | |
| HITRUST RMF (Pre QQRRA) | AB | QL | No specific categories of assets provided. As a framework, accommodates any asset taxonomy. Interoperability Level: 3 |
No specific categories of assets provided. As a framework accommodates any asset taxonomy. Interoperability Level: 3 |
The HITRUST Threat Catalogue is specific to the threats/controls in the RMF; however, other sources may be mapped and used for analysis. Interoperability Level 3 |
No vulnerability catalogue provided. As a framework, it can accommodate any set of vulnerabilities or vulnerability catalogues. Interoperability Level 3 | The HITRUST RMF provides a specific approach to calculating risk using control maturity and impact codes for each control relevant to an asset or set of assets. Interoperability Level 1 |
HITRUST CSF controls are fully tailorable based on inherent risk to the organization, and the resulting control specification can be fully integrated into any type of risk analysis. Interoperability Level 3 |
EN | ISO 27001/2, NIST SP 800-53 |
| HITRUST RMF (Post QQRRA) | AB/SB (QQRRA / Risk Catalogue) |
QT (QQRRA / Risk Catalogue) |
The HITRUST Risk Catalogue will provide a generic list of information asset classes; however, any taxonomy for assets may be used for QQRRA. Interoperability Level 3 |
QQRRA provides decision support tools that are modifiable and can be used for any approach to asset valuation. Interoperability Level: 3 |
The HITRUST Risk Catalogue is specific to the threats/controls in the RMF; however, other sources may be mapped and used for analysis. Interoperability Level 3 |
The HITRUST Risk Catalogue will provide a generic list of vulnerability types for various classes of information assets; however, any source for asset/ vulnerabilities may be used for QQRRA. Interoperability Level 3 |
QQRRA provides a patent-pending approach to computing residual risk based on likelihood using control effectiveness and impact expressed in monetary terms, related threats, and threat actor motivation and capability. Results are easily mapped to the results of other frameworks. Interoperability Level 3 |
HITRUST CSF controls are fully tailorable based on inherent risk to the organization, and the resulting control specification can be fully integrated into QQRRA or any other type of risk analysis. Interoperability Level 3 |
EN | ISO 27001/2, NIST SP 800-53 |
The following table provides a summary of the potential interoperability of these 16 standards, frameworks, and methods144 along with the HITRUST RMF along with scores for the HITRUST RMF.
Table 6. Potential Interoperability of Various Prominent Risk Management Standards, Frameworks, & Methodologies
| Overall Evaluation of Standards, Frameworks, and Methodologies / Interoperability Feature | Risk Identification | Risk Assessment | Risk Treatment | Overall Potential Interoperability | |||
| Asset Taxonomy | Asset Valuation | Threat Catologues | Vulnerability Catalogues | Risk Calculation Method | Measure Catalogue & Calculation of Residual Risk | ||
| HITRUST RMF (QQRRA) | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| NIST SP 800-37145 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| OCTAVE ALLEGRO146 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| OCTAVE-S147 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| ISO/IEC 27005:2018148 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| MONARC149 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| OCTAVE FORTE150 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| THE OPEN GROUP STD RISK ANALYSIS V2.0151 | Potential Interoperability: 2.1 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.70 | |||
| BSI STANDARD 200-2152 | Potential Interoperability: 2 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.67 | |||
| GUIDELINES ON CYBER SECURITY ONBOARD SHIPS153 | Potential Interoperability: 3 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.67 | |||
| NIST SP 800-39154 | Potential Interoperability: 2 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.67 | |||
| EBIOS RM155 | Potential Interoperability: 2.9 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.63 | |||
| ETSI TS 102-165-1156 | Potential Interoperability: 2.7 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.57 | |||
| MAGERIT v3157 | Potential Interoperability: 2.4 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.47 | |||
| HITRUST RMF (Pre-QQRRA) | Potential Interoperability: 3 | Potential Interoperability: 1 | Potential Interoperability: 3 | 2.34 | |||
| ITSRM158 | Potential Interoperability: 1.9 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.30 | |||
| NIST SP 800-30159 | Potential Interoperability: 1.6 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.20 | |||
| MEHARI160 | Potential Interoperability: 2 | Potential Interoperability: 1 | Potential Interoperability: 3 | 2.00 | |||
Current interoperability scores are consistent with the many and varied ways in which HITRUST has seen public and private sector organizations use the HITRUST RMF, which can run the gamut from simply using the HITRUST CSF as a compendium of best practices to adopting and integrating the HITRUST CSF, HITRUST Assurance Program, and supporting components into their organization-wide information protection and risk management programs. Integration of QQRRA into the HITRUST Approach vis-à-vis relevant products, services, and tools will further enhance this level of interoperability and provide improved support for integration into organizational information protection and risk management programs, regardless of any other standards, frameworks, or methodologies these organizations may also leverage.
128 ENISA (2022). About ENISA – The European Union Agency for Cybersecurity.
129 ENISA (2022a, Jan). Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Interoperable EU Risk Management Framework Report. Attiki, GR: Author.
130 Ibid., pp. 6-7.
131 Ibid, p. 7.
132 Ibid., p. 8.
133 BSI (2022). BSI-Standards.
134 Carnegie Mellon University Software Engineering Institute (2022). SEI: Publications: Digital Library: Search Results: OCTAVE.
135 European Telecommunications Standards Institute, ETSI (2022). Standards: Search: Cybersecurity.
136 MONARC (2022). What is MONARC?
137 Agence Nationale de la Securite des Systems d’Information, ANSSI (2022). EBIOS Risk Manager – The Method.
138 Portal Administración Electrónica (2022). The Portal E-government: Cover Page of Documentation: Cover of Methodologies and Guidelines: Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información.
139 European Commission (2022). Home: Departments and Executive Agencies: Informatics.
140 The Open Group (2022). Risk Analysis.
141 ENISA (2022a), p. 31.
142 ENISA (2022b, Jan). Interoperable EU Risk Management Framework: Methodology for and assessment of interoperability among risk management frameworks and methodologies. Attiki, GR: Author.
143 Ibid., pp. 6-12.
144 Ibid., pp. 24-25
145 JTF (2018, Dec).
146 Caralli, R., Stevens, J., Young, L., and Wilson, W. (2007, May). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (CMU/SEI-2007-TR-012). Pittsburgh: Carnegie Mellon University.
147 Alberts, C., Dorofee, A., Stevens, J., and Woody, C. (2005, Jan). OCTAVE®-S Implementation Guide, Version 1.0 (CMU/SEI-2003-HB-003). Pittsburgh: Carnegie Mellon University.
148 ISO/IEC (2018). Information Technology – Security Techniques – Information Security Risk Management (ISO/IEC 27005:2018). Geneva: Author.
149 CASES (2016, Apr). MONARC Version 1.0. Luxembourg: Author.
150 Tucker, B. (2020, Nov). Advancing Risk Management Capability Using the OCTAVE FORTE Process (CMU/SEI-2020-TN-002). Pittsburgh: Carnegie Mellon University.
151 The Open Group (2021, Nov). Risk Analysis (O-RA), Version 2.0.1. Berkshire, UK: Author.
152 BSI (2017, Oct). IT-Grundschutz Methodology (BSI-Standard 200-2). Bonn: Author.
153 Baltic and International Maritime Council, BIMCO (2020). The Guidelines on Cybersecurity Onboard Ship, Version 4.0.
154 JTF TI (2011, Mar).
155 ANNSI (2022).
156 ETSI (2017, Oct). CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA) (ETSI TS 102 165-1 V5.2.3). Sophia Antipolis Cedex, FR: Author.
157 Portal Administración Electrónica (2022).
158 European Commission (2020, 8 Nov). IT Security Risk Management Methodology v1.2: Description of the Methodology (v1.2 r19).
159 JTF TI (2012, Sep).
160 Club de la Sécurité de l’Information Français, CLUSIF (2022). Reception: Services: Risk Management: The Fundamentals of MÉHARI (Google Translation).