The concept of preparation is a recent addition to the NIST RMF and supports each of the remaining steps (activities) needed to help an organization manage risk. In addition to the rather obvious selection of the NIST RMF for this illustration, preparation includes but is not necessarily limited to identifying key risk management roles in the organization, establishing a strategy for managing risk, determining the organization’s risk tolerance(s), and conducting an organization-wide risk analysis.15 Organizations then categorize information systems based on the information being processed, stored, and transmitted by the system and the potential impact to the organization should a threat-source successfully exploit a vulnerability. Federal Information Processing Standard (FIPS) 19916 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact value assigned to the respective security objectives is the highest value (high-water mark) from among the security categories determined for each type of information processed, stored, or transmitted by an information system considered in scope.
In addition to those publications already addressed, related RMF publications include but are not necessarily limited to NIST SP 800-30 Rev. 117 and NIST SP 800-60 Volumes I18 and II19.
15 NIST (2022c). Projects: NIST Risk Management Framework: About the RMF: NIST Risk Management Framework (RMF) – Prepare Step.
16 NIST (2004, Feb.) Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199). Gaithersburg, MD: Author.
17 Joint Task Force Transformation Initiative, JTF TI (2012, Sep). Guide for Conducting Risk Assessments (NIST SP 800-30 Rev. 1). Gaithersburg, MD: NIST.
18 Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., and Gulick, J. (2008, Aug). Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60 Vol. 1 Revision 1). Gaithersburg, MD: NIST.
19 Stine, K., Kissel, R., Barker, W. C., Lee, A., and Fahlsing, J. (2008, Aug). Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60 Vol. 2 Rev. 1). Gaithersburg, MD: NIST.